Letter to ICO re Out Of Control report

Report: Letter to ICO re Out Of Control report


Title: Letter to ICO re Out Of Control report

Author: Jim Killock

Published: 14 January 2020

Download the report as a PDF

Information Commissioner Wycliffe House
Water Lane, Wilmslow

Dear Elizabeth Denham,

Re: The adtech industry is not respecting consumers’ privacy

We would like to bring to your attention a report published on January 14th by the Norwegian Consumer Council, which looks into the hidden side of the data economy. The report, titled “Out of Control”,shows how the online marketing and adtech industry operates. It concludes that the comprehensive tracking and profiling of consumers that is at the heart of the current adtech ecosystem are by their very nature exploitative practices which do not respect the General Data Protection Regulation (GDPR).

This report extends the information available concerning the Adtech industry. Practices such as “real time bidding” are as you will know the subject of a complaint filed to you on Michael Veale and my behalf, and which your organisation has already highlighted as failing to meet basic legal requirements. This report details further problems specifically with applications installed on smartphones.

Consumers carry their smartphones everywhere and these devices record information about sensitive topics such as their health, behaviour, interests and sexual orientation. The report focuses on the personal data collected from mobile apps and the hidden ecosystem behind them. It shines a light on the commercial third parties that, hiding in the background beyond consumers’ sight, receive and exploit consumers’ personal data. The analysis comprises of 10 apps from different categories (e.g. dating, fertility tracking, children’s apps) and identifies the following main problems:

Personal data is systematically hoovered and exploited by multiple businesses under questionable and/or potentially invalid legal bases and in any case beyond the consumer’s knowledge or control. In particular:

Companies do not obtain valid consent from consumers to process their personal data, including for the processing of data which would fall under Article 9 of the GDPR (special categories of data) and would therefore require explicit consent.

Companiesalsofailtomeettherequirementsfortheuseoflegitimateinterestsas a legal basis for processing the data, which in any case would not be a suitable legal basis for the processing operations analysed in the report.

In addition to being used to display targeted advertising, the comprehensive profiling and categorization of consumers can trigger different types of harm, both for individual consumers and for society as a whole. This includes different forms of discrimination and exclusion, widespread fraud, manipulation, and the chilling effects that massive commercial surveillance systems may have both on individuals and more generally on consumer trust in the digital economy.

- Consumers cannot avoid being tacked firstly because they are not provided with the necessary information to make informed choices when launching the apps for the first time. But secondly also because in any case the extent of tracking, data sharing, and general complexity of the adtech ecosystem is incomprehensible to them. Individuals cannot make real choices about how their personal data is collected, shared and used.

- Even if consumers had comprehensive knowledge of how adtech works, there would still be very limited ways to stop or control the data exploitation. The number and complexity of actors involved in the adtech ecosystem is staggering, and consequently consumers have no meaningful ways to resist or otherwise protect themselves.

All of this means that the massive commercial surveillance going on throughout the adtech ecosystem is systematically at odds with our fundamental rights and freedoms. These problems are also contributing to the erosion of trust in the digital economy and negatively impacting our democratic processes.

On the basis of these findings, the Norwegian Consumer Council is filing a series of complaints before the Norwegian Data Protection Authority against various adtech companies and the dating app Grindr. National regulators and enforcement authorities must take active enforcement measures to address these issues and ensure that the adtech industry fundamentally changes the way it operates.

We hope that you will share our concerns regarding the issues brought up in this report. The research has been carried out in Norway, but some of the apps analysed (e.g. Grindr) operate in the United Kingdom and the adtech companies subject to the complaints filed by Norwegian Consumer Council are highly likely to be processing data of British consumers as well.

We urge you to investigate these issues. The concerns raised by commercial surveillance and the adtech industry practices affect the whole of the EU.

Yours sincerely,

Jim Killock

Executive Director, Open Rights Group

https://www.forbrukerradet.no/out-of-control/