UK’s data protection regulator ICO (Information Commissioner’s office) has published a report highlighting how thousands of companies are sharing personal data on hundreds of millions every day without a legal basis. The report also says, how most of today’s online advertising is illegal at a ‘general, systemic’ level. The report was in response to a series of complaints made in the UK around the security and legality of the adtech ecosystem. These complaints were made by Mr. Veale, an academician and Jim Killock, executive director of the Open Rights Group, as well as campaign group Privacy International. Adtech is a term used to describe tools that analyze and manage information (including personal data) for online advertising campaigns and automate the processing of advertising transactions. RTB (Real time bidding) uses adtech to enable the buying and selling of advertising inventory in real time on an impression by impression basis, typically involving an auction pricing mechanism. It is a type of online advertising that is most commonly used at present for selling visual inventory online, either on the website of a publisher or via a publisher’s app. RTB relies on the potential advertiser seeing information about you. That information can be as basic as the device you’re using to view the webpage, or where in the country you are. But it can have a more detailed picture, including the websites you visited, what your perceived interests are, even what health condition you’ve been searching for information about. The complexity of this type of online advertising poses a number of risks about the level of data protection compliance. Hence the ICO has investigated this issue and summarized how the ad tech sector should comply with GDPR. In this report, ICO has prioritized two areas: the processing of special category data, and issues caused by relying solely on contracts for data sharing across the supply chain. The report highlights “Under data protection law, using people’s sensitive personal data to serve adverts requires their explicit consent, which is not happening right now. Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, raises questions around the security and retention of this data.” Key findings from ICO’s report Adtech is disregarding Special and Non-special category data Non-special category data is being processed unlawfully at the point of collection. Online advertisers believe that legitimate interests can be used for placing and/or reading a cookie or other technology (rather than obtaining the consent PECR requires). Even if an argument could be made for reliance on legitimate interests, participants within the ecosystem are unable to demonstrate that they have properly carried out the legitimate interests tests and implemented appropriate safeguards. Special category data- relating to especially sensitive data such as ethnic origin, health background, religion, political and sexual orientation- is also being processed unlawfully. This is because explicit consent is not being collected due to lack of proper data protection laws. DPIAs are tools that organizations can use to identify and minimize the data protection risks of any processing operation. Article 35 of the GDPR specifies several circumstances that require DPIAs where there is large scale processing of special category data. ICO states that there appears to be a lack of understanding of, and potentially compliance with, the DPIA requirements of data protection law. This increases the risks associated with RTB which are probably being not fully assessed and mitigated. Individuals have no control over their privacy ICO claims that the Privacy information provided to individuals lacks clarity as it is overly complex. Individuals have no guarantees about the security of their personal data within the ecosystem. Moreover, individual profiles are extremely detailed and repeatedly shared among organizations for any one bid request, all without the individuals’ knowledge. Not just that, these organizations are processing these bid requests with inadequate technical and organizational measures to secure the data in transit and at rest. There is also little to no consideration as to the requirements of data protection law about international transfers of personal data. ICO says organizations must understand, document and be able to demonstrate: how their processing operations work; what they do; who they share any data with; and how they can enable individuals to exercise their rights. Contract-only approach for data protection legislation should stop The adtech industry currently uses contractual controls to provide a level of guarantees about data protection-compliant processing of personal data. However, this contract-only approach does not satisfy the requirements of data protection legislation. Organizations cannot rely on standard terms and conditions by themselves, without undertaking appropriate monitoring and ensuring technical and organizational controls back up those terms. ICO says that the controllers must: assess the processor is competent to process personal data in line with the GDPR; put in place a contract or other legal act meeting the requirements in Article 28(3); and ensure a processor’s compliance on an ongoing basis, in order for the controller to comply with the accountability principle and demonstrate due diligence (such as audits and inspections). What’s next for ICO ICO states that its report requires further analysis and exploration. They will undertake targeted information-gathering activities related to the data supply chain and profiling aspects, the controls in place, and the DPIAs that have been undertaken, starting in July 2019. They will also continue targeted engagement with key stakeholders. They will continue bilateral engagement with IAB Europe and Google. They may also undertake a further industry review in six months’ time. The scope and nature of such an exercise will depend on their findings over the forthcoming months. As obvious, this report was well appreciated by netizens. However, some people had issues with it being just a guidance report, with a lack of real efforts. They also criticized the next steps section. Another issue which cropped up was how in spite of issues, the adtech industry, is also responsible for generating a large percentage of revenues. Although, ICO gave its reply. “RTB is an innovative means of ad delivery, but one that lacks data protection maturity in its current implementation. Whilst it is more the practices than the underlying technology that concerns us, it’s also the case that, if an online service is looking to generate revenue from digital advertising, there are a number of different ways available to do this. RTB is just one of these. Whatever form organizations choose, if it involves either accessing or storing information on user devices, and/or the processing of personal data, there are laws that they have to comply with.” Read the full report here. Read Next GDPR complaint in EU claim billions of personal data leaked via online advertising bids European Union fined Google 1.49 billion euros for antitrust violations in online advertising GDPR complaint claims Google and IAB leaked ‘highly intimate data’ of web users for behavioral advertising.