Our Adtech challenge: what we won, what we lost and what we do next

On Friday 26 November 2021, the Upper Tribunal ruled (in Killock and Veale & Ors v Information Commissioner (GI/113/2021 and ors) on our challenge against the ICO’s handling of our complaint concerning illegal data processing in the AdTech sector.

While they refused our core request — to require the ICO to reopen the complaint on account of the lack of an outcome, we won key concessions and admissions which will help shape the future accountability of the ICO and the rights of future complainants. We expect the ICO to take a more proactive approach to complaints following the judgment and will continue to hold the ICO to account where they fail to do so.

The Upper Tribunal supported ORG by :

• accepting that the regime for holding the ICO to account is incoherent and in need of reform
• confirming (against the ICO’s arguments) that a complaint that both relates to individuals and systemic, industry-wide illegality is a ‘real’ complaint under the GDPR
• confirming for the first time that the Tribunal, not the Commissioner, decides what is an ‘appropriate’ step to respond to a complaint.
• confirming that the s.166 remedy cannot be reduced to a “formalistic remedy” and that the Tribunal will scrutinise the steps taken by the ICO in response to a complaint.

However, there were issues the Tribunal either ignored or misunderstood. Most significantly, the Tribunal did not grapple with the question of whether an appropriate outcome had been reached in our case, despite the ICO’s failure to determine the substantive issues in our complaint. We consider that an outcome that our complaint had “assisted and informed the ICO’s broader regulatory approach” did not provide an outcome to our complaint in any meaningful sense. The Tribunal’s failure to engage with this question hinged on its (mistaken) belief that it had no jurisdiction under s.166 to consider the substantive question of whether that outcome was appropriate. Instead, it claimed we should have turned to judicial review if we wanted those kinds of answers. We believe the Tribunal has fundamentally misunderstood its jurisdiction and what s.166 enables and empowers it to do.

However, it is crucial to look at the bigger picture. We have achieved the remedy we sought, which was to get an industry-wide investigation into AdTech. It may or may not be a coincidence that the ICO released another AdTech report on the same day the judgment was communicated to us, again highlighting widespread illegality within the industry. For the first time, this report confirms that the ICO is slowly starting, 3 years in, to use some of its formal investigation powers against currently undisclosed AdTech firms. The end of tracking seems nigh and our ICO complaint has played a he critical role in bringing this about. The ICO rightly acknowledge that “the original complaint submitted by [ORG] and the additional supporting documentation received … have been central to shaping the ICO’s plans to address the issues that exist within the RTB ecosystem.” While the end of invasive RTB as we know it is coming, we would not be here without our complaints, and pushing and holding the ICO to account as we have been since September 2018. We have done so in coordination with partners in the UK, such as Privacy International who also reported complementary issues to the ICO in late 2018, and parallel efforts in the EU, including with the ICCL, Panoptykon Foundation, the Civil Liberties union for Europe and EDRi.

Owing to the progress we have made and the need to focus our resources we do not intend to appeal the errors in the Tribunal’s judgment to the UK Court of Appeal. Rather, we plan to focus our resources on getting accountability and change around privacy and power in AdTech to ensure that fundamental rights cannot be flouted with impunity and guarding against the Adtech system being replaced with something worse. Going forward, we intend to continue these twin efforts against AdTech and ineffective data regulation.

How We Got Here

Background

In September 2018, we started a challenge to surveillance advertising and the widespread illegality in the field of online advertising and tracking. Jim Killock from Open Rights Group and Dr Michael Veale from University College London filed a complaint to the Information Commissioner’s Office (ICO) against Real-Time-Bidding (RTB), in particular the Interactive Advertising Bureau’s “Open RTB” and Google’s “Authorised Buyers” systems. Supporting our complaint was an expert report from Dr Johnny Ryan, now Senior Fellow at the Irish Council of Civil Liberties (ICCL). Privacy International filed a separate category of submission to the ICO, a “Request for an Assessment Notice”, against different AdTech actors in November 2019, citing our complaints.

RTB is business practice that underpins the toxic Internet we all complain about nowadays. Every time you visit a website, all manner of information about your visit is sent through systems orchestrated by organisations including Google and the IAB to thousands of companies. These companies will try to “enrich” this data further with the help of data brokers to learn as much about you as possible so they can target certain advertisements to you, based on what they believe you may be interested in. All these transmissions — the websites you visit, the videos you watch, the articles you read — are collated over time and linked to data from many other sources in detailed profiles, forming a vicious cycle of tracking. These mechanisms lead to a race-to-the-bottom in privacy and data protection practices as advertisers try to race-to-the-top to attract your eyeballs, clicks and purchases.

The mechanisms of RTB directly result in creepy ads, but even more concerningly incentivise a general installation of surveillance mechanisms across the entire digital landscape, and a corrosion of data protection rights. RTB incentivises websites to configure cookie banners illegally such that you cannot say no to them. The same data brokers powering RTB, and often even claiming their data is anonymous, sell the military, the police and immigration services, and claim to be so detailed as to be able to support contact tracing and monitoring social distancing. Even small AdTech companies retain hundreds of millions of bid requests without a legal basis to get an upper hand on their competitors. The basic idea and tools of RTB, to be able to distinguish between individuals to show them very different messages, infiltrates the political and commercial spheres, including attempts at voter suppression through microtargeting or illegal price discrimination. The same infrastructures used and developed by AdTech have also long been piggybacked on by intelligence agencies for the purposes of mass surveillance, as revealed as far back as the Snowden revelations. These practices are not even justified by supporting legitimate publishers to keep their content open and affordable, as the orchestrators and intermediaries of these technologies take a whopping proportion of any advertising revenue and obscure the effectiveness of their advertising to keep the cash flowing. And far from an open market, the powerful central coordinating actors of RTB regularly use their power to change the way that advertising systems work to retain the upper hand.

Today, online advertising is, slowly, undergoing reform. Regulatory pressure has mounted in the United States and the European Union alike. The AdTech industry is also trying to reshuffle their cards, with Google announcing plans to eliminate third-party cookies but replace them with another infrastructure they control, Google Chrome. Other AdTech players trying to propose their own tweaks to RTB, largely trying to resuscitate the transparency and consent framework that is inherently unfit for purpose for a huge, opaque system of tracking and data transfers.

Where we are

It is worth taking stock of how far we have come since 2018. Our complaint to the ICO, filed in parallel with a complaint in Ireland to the Data Protection Commission by Dr Johnny Ryan, ignited the heat the industry is currently facing. ORG then coordinated parallel complaints based on our own complaints, filed in 2019 (with coordination support of Liberties.EU) in now more than 20 jurisdictions.

As a result, the industry is facing a reckoning that they cannot comply with the GDPR. In particular, the Belgian DPA, the leading data protection authority for the complaint against the Interactive Advertising Bureau (IAB), conducted an investigation and released a preliminary report that found the IAB to be in breach of their duties to use personal data in a lawful, transparent, fair and secure manner. This led to formal proceedings against the IAB, where the Belgian DPA has, in draft, declared the IAB Transparency and Consent Framework (TCF) to be illegal. This draft decision is not public yet and will be reviewed by other EU DPAs before becoming effective. Although there is still a way to go, the direction of this Belgian decision is incredibly important.

Firstly, TCF is the system that underpins most of the annoying cookie banners. This would be a nail in the coffin for cookie banners, confirming that the TCF system of cookie consent notices is broken and illegal under EU data protection law.

Secondly, the decision appears to have found the IAB to be a “joint controller” in the exercise of TCF, and thus the illegal practices behind AdTech can be rightly pushed to the industry’s door. This is the argument we made initially to the ICO, which we are glad to see has been endorsed. The importance of this finding cannot be underestimated, both within this case and on a wider scale. Powerful co-ordinating forces have steered AdTech into the illegal mess we have today, and if we are to have a chance of systemic change, it is those co-ordinating forces that have to be targeted for change. AdTech companies have been hiding and dodging accountability under the pretence that they don’t hear, don’t see and don’t speak about the obvious breaches of security and the law that affects RTB systems and the continual transfer of personal data between thousands of nameless companies. Recognising the role of IAB as joint controller would finally put an end to this charade and hold AdTech companies to account for their deliberate, protracted and repeated illegal conduct. This case may well end up in the Court of Justice of the European Union, and add to the array of AdTech decisions in that court that attempt to pin some responsibility for AdTech in a system which designs itself to be as slippery as possible.

The ICO and the Tribunal

The ICO endorsed the damning conclusions on the Adtech industry we made in our complaints. Following an investigation into AdTech and real time bidding, as they got to grips with just how bad the practices in the industry were, the Commissioner released an update report in 2019 that corroborated our complaint. Current AdTech practices were found to be rife with illegality in many different ways, and ultimately incompatible with our fundamental right to data protection. The update report showed the regulator opening its eyes to a problem that it had blindly permitted for the previous decade.

Despite this promising beginning, the ICO soon ran out of steam and regulatory will. Rather than enforcing the law and bringing the industry into compliance, the ICO gave the industry a six month window “to work on” the points raised in their report. The AdTech industry took this opportunity to double down on compliance mechanisms which did not deal with the structural issues that cause the illegality in the first place. The ICO’s reaction to this inaction was another pause in their investigation because of the Covid crisis — a crisis which saw people spend more time on their devices than ever before.

Eventually, the ICO resumed their investigation. They simultaneously wrote to us informing that our RTB complaint had concluded. It is worth noting that a complaint is not just a way to inform a regulator about illegality but has a special legal status. It gives complainants rights to updates on any investigations occurring, and legal rights and remedies against the ICO. In an ideal world where regulators could be trusted to thoroughly investigate an issue and put a stop to illegal practices using the powers they have been granted in law, these rights may be less pronounced. In this case however, the ICO had already gone three years with no use of their regulatory powers despite a finding of systemic illegality across an entire sector. This, following more than a decade of inaction and unenforced data protection law, paints a picture of a regulator who needs careful oversight from civil society and the courts. This is not unusual. The only reason for wins by Max Schrems in the Safe Harbor and Privacy Shield sagas relating to Facebook, EU-US data transfers and the unaccountable US surveillance regime was because the Irish regulator could be challenged by its complainants and be accountable in Irish and European courts.

To retain accountability over the ICO in relation to the specific complaint we made against Google and the IAB, key joint controllers in this sector, we planned to challenge the ICO using the law, with a simple goal: challenge the decision of the ICO to close this complaint, as there is no resolution or outcome despite the ICO still investigating the specific industry actors we named and described, and having expressed grave concerns about their illegality in a very public manner in its Update Report. If the ICO were allowed to shut complaints before it had properly resolved them simply because they were complex and required a broad investigation and call an ‘investigation’ an ‘outcome’, then that creates a lopsided system. The only people who can appeal against ICO action would be the controllers themselves. Complainants could never challenge the ICO for inaction or insufficient enforcement if they are shut out of complaints that directly affect them before the ICO has fully resolved them.

The path to keep the ICO accountable for their failure to appropriately deal with our complaint was not as straightforward as you might expect. The UK Data Protection Act 2018 provides an avenue for redress against ICO inaction in the tribunal system. However, the Tribunal in previous cases had found it was competent for procedural matters only: in other words, they would only hear cases where the ICO failed to meet a statutory deadline or provide written updates within a given timeframe. This supported the notion of the ICO as a regulator that mainly ticks boxes rather than robustly enforces the law, and of the Tribunal as an organ with limited procedural powers to review the ICO’s actions. Yet the difference between substance and procedure is not a neat one to draw and so we wanted to test this.

In our case, it was clear the ICO had not yet addressed the issues we raised in our complaint and thus had not yet reached an ‘outcome’, but had rather embarked on its ‘investigation’ into the matters complained of. This raised the question of ‘is our outcome an outcome?’ which should be dealt with by the Tribunal.

Our case started in the General Regulatory Chamber but was streamlined to the Upper Tribunal because of the important legal issues it raised regarding the Tribunal’s jurisdiction to rule on such matters. Therefore, this challenge only related indirectly to AdTech but directly related to the ICO’s role as an effective, reactive and accountable regulator in this space. The Tribunal was not asked about whether Google or IAB had been acting illegally but instead was asked to hold the ICO to account so that they would reopen and act on our AdTech complaint.

We remain without proper guidance from the Tribunal as to when an outcome is to properly be considered an outcome. However, we continue to work with the ICO and will ensure we and the public are able to exercise their rights to an effective remedy against the Tribunal.

We were represented in the Tribunal by Maya Lester QC, Julianne Kerr Morrison, Nikolaus Grubeck and Gerry Facenna QC, who were instructed by Ravi Naik and Cassie Roddy-Mullineaux from AWO.

We were directly supported by generous donations from ORG members and supporters from across the world.

Tribunal Outcomes

The Tribunal did not demand the ICO re-open the complaint, and we did not get all we wanted from this judgement.

The Wins

The judgment contains many positive aspects:

Firstly, the Tribunal conceded that the law holding the ICO to account is broken and that it does not support a coherent regime for data subjects nor enable an effective regime for creating case law. The Tribunal has endorsed that the regime be reformed by Parliament in a postscript to the judgment.

Secondly, we helped divert the Tribunal from the trajectory of their previous cases, which were heading towards a regime where the ICO was operating effectively as long as it updated individuals on the status of their complaints, regardless of the quality of these updates. The Tribunal has for the first time acknowledged that it is the Tribunal’s role, not the Commissioner’s, to decide whether the quality of the ICO’s action is ‘appropriate’ or not. It has acknowledged that the Tribunal’s powers over the ICO “should not be reduced to a formalistic remedy and [s.166 orders] have real content in the sense of ensuring the progress of complaints”.

Thirdly, the Tribunal confirmed the validity of making ‘systemic’ complaints about widespread abuses that also affect the complainants, which the ICO had tried to deny. The Information Commissioner had, during these proceedings, submitted that we were not actually complainants, despite the ICO handling our complaints from the start as part of their individual complaints procedure and confirming on several occasions to us that we were individual complainants. It argued that if individuals complained about widespread illegality that was systemic in nature, that also affected them as individuals, they were not making a ‘complaint’ at all and would not benefit from, for example, the ability to challenge the ICO in court about any potential outcomes. The Tribunal rejected the ICO’s claim that our complaint was not a complaint about the infringement of our individual rights. This is extremely important for digital rights organisations going forward, as the ICO has many ‘systemic’ issues on its hands resulting from a lack of enforcement over previous years.

Finally – the most significant for last! As with our previous actions to force the ICO to consider AdTech, it appears that this judgment has spurred the ICO into further action on the industry: on the same day as our case received its judgment, the ICO released a further report on AdTech, again highlighting widespread illegality. The end of the AdTech industry is nigh and our ICO complaint has had a crucial role in bringing this about.

When is an outcome an outcome

In closing our complaint, the ICO argued that “the outcome [was] that it has assisted and informed the ICO’s broader regulatory approach to RTB”. In essence, the ICO held that they fulfilled their obligation to act upon our individual complaints, despite the fact there was no determination by the ICO of whether our rights had been infringed or what action the ICO would take in response to any unlawful processing identified.

The Tribunal concluded that it did not have jurisdiction under s.166 to consider if the ICO had reached a meaningful outcome. While the Tribunal accepted it had jurisdiction to consider if appropriate steps had been taken in response to our complaint, the Tribunal held that it was not empowered to consider if the outcome provided by the ICO in shutting our complaint was appropriate. The Tribunal suggested that if we had issues with the outcome of the complaint, we would have needed to bring a judicial review action.

We don’t agree that the Tribunal lacks jurisdiction under s.166 to consider if the outcome provided to us was meaningful, or that the High Court is the appropriate venue to determine such matters. However, the Tribunal accepted it has jurisdiction to “decide the question of appropriateness for itself” when it comes to assessing if the ICO had responded appropriately, taken appropriate steps, or investigated the complaint to the extent appropriate. In our case, it was obvious that the ICO had not yet reached any determination on the substantive issues we had raised in our complaint, including whether our individual rights had been infringed, but had only embarked on investigation into the broader industry. Investigation clearly does not equal outcome in any meaningful sense. Thus, deciding on whether the outcome provided by the ICO in those circumstances is clear s.166 territory for the Tribunal. It is unclear why the Tribunal should shy away from assessing the appropriateness of an outcome which failed to determine the matters complained about.

We believe the Tribunal has made an error of law in this regard. We expect this legal error will be remedied by the Tribunal in due course, no doubt because it will be the subject of further appeals. However, if there truly is a lacuna in the law, based on how the UK has enacted its data protection legislation (as the Tribunal suggested in its judgment), then Parliament will need to urgently rectify this to ensure the full and complete protection of data subjects.

Implications of Tribunal’s position

In the interim, however, this leaves a rather unsatisfactory position regarding the s.166 remedy. The Tribunal’s current interpretation of jurisdiction leads to a system where, unlike data subjects, data controllers benefit from a substantive review of an action taken against them by the ICO in the much cheaper and more accessible Tribunal, while the remedy for data subjects is much more limited. This issue was acknowledged by the Tribunal, which endorsed future legal reforms in a postscript to the judgment.

The policy reason for jurisdictional disconnect, which is hardly helpful for litigants in person, or for developing a coherent system of precedent, is not immediately apparent. A comprehensive strategic review of the various appellate mechanisms for rights exercisable under the DPA is arguably long overdue.

Furthermore, the Tribunal’s position on s.166 suggests the ICO can provide what it labels as ‘outcomes’ to complaints without fear of scrutiny by the Tribunal of its actions. However, in its judgment, the Tribunal has positively confirmed that the s.166 remedies do have bite when it comes to scrutinising the appropriateness of the investigation undertaken by the ICO and the appropriateness of its steps in response to the complaint. Thus, if the ICO simply ceased handling a complaint, without pursuing any investigation into the matters complained of, it is unlikely the ICO would be viewed to have acted appropriately in that instance, even according to the Tribunal’s restrictive interpretation of the s.166. In our case, the Tribunal’s decision seemed heavily swayed by the fact that the ICO had begun an industry-wide investigation. This is unlikely to be the case in other matters before the Tribunal.

Aside from the jurisdictional errors, the Tribunal also made decisions on some points that we never argued: that we wanted to have our complaint run alongside and governing any AdTech investigation the ICO was taking. Instead, we were arguing that legally important procedural rights that related to our original complaint should continue until an outcome was provided.

What’s ahead for AdTech

At the same time as this judgment, the ICO released another AdTech report analysing the shortcomings of industry proposals that are meant to replace RTB. We welcome the ICO’s findings about the utter incompatibility of these systems with legal and ethical requirements.

At the same time, we do not endorse the failure of the ICO to not crack down harder on an industry that the ICO found was acting unlawfully in June 2019 (and most likely acting unlawfully since its inception). The ICO’s regulatory inaction makes for stark contrast with developments in Europe, where even the complexity and bureaucracy of cross-border complaints has not prevented the Belgian DPA issuing an enforcement decision in this matter. The ICO should be more proactive and seek to protect our rights. ORG will continue to hold the ICO’s inaction to account.

For the Tribunal, there are still unanswered questions as to what constitutes an appropriate ‘outcome’ to a complaint and its jurisdiction to grapple with these issues. It cannot be legally correct that the Tribunal must blindly accept that what the ICO claims is an appropriate outcome is indeed an appropriate outcome, if that outcome does not reach an outcome in any meaningful sense such as where it does not address the issues complained of.

However, we have choices here, and resource constraints. We have won the bigger battle which was getting an investigation into Adtech. Rather than pursue the legal errors we have identified to the UK Court of Appeal, we intend to focus on illegality in AdTech and leave the jurisdictional challenge for a different set of facts. We will soon be updating supporters with information on our next steps to continue to apply leverage using the legal tools at our disposal to pursue key actors in the AdTech system. In the last three years, we have set the ball rolling, and things are finally moving which is positive. However, there is a real need for further pressure, information, and collective action to secure real change for data protection and privacy rights in the UK and across the world.