The ICO has announced that it has resumed its adtech investigation, which was paused due to the pandemic. In a second announcement, it considers data flows and cooperation under the TCA.
Adtech investigation resumes
The Deputy Commissioner of the ICO has announced that the previously paused investigation into real time bidding (RTB) and the adtech industry has now resumed. The announcement states:
“Enabling transparency and protecting vulnerable citizens are priorities for the ICO. The complex system of RTB can use people’s sensitive personal data to serve adverts and requires people’s explicit consent, which is not happening right now. Sharing people’s data with potentially hundreds of companies, without properly assessing and addressing the risk of these counterparties, also raises questions around the security and retention of this data”.
The ICO plans to carry out a series of audits focusing on digital market platforms and it will issue assessment notices to specific companies in the coming months. The outcome of these audits will provide a clearer picture of the state of the industry.
Data broking also plays a large part in RTB and following the ICO’s data broking investigation into offline direct marketing services and enforcement action for Experian in October 2020, it will be reviewing the role of data brokers in this adtech eco-system. The ICO says that the investigation is vast and complex and, because of the sensitivity of the work, there will be times where the ICO cannot provide regular updates. However, the ICO will publish its final findings after the investigation is concluded. It calls on all organisations operating in the adtech sector to assess how they use personal data as a matter of urgency and points out that it has existing guidance in this area, which applies to RTB and adtech in the same way it does to other types of processing, especially regarding consent, legitimate interests, data protection by design and data protection impact assessments. The ICO is also continuing to work with the CMA to consider Google’s Privacy Sandbox proposals to phase out support for third party cookies on the Chrome browser.
UK-EU Trade and Cooperation Agreement
Separately the ICO has issued a blog post on the recently agreed trade agreement (TCA) between the EU and the UK. The ICO points out the data protection aspects of the TCA were very important. The TCA contains both short term provisions, allowing data to continue to flow from the EU to the UK, and long-term commitments, such as to maintaining high standards of data protection.
The TCA contains an important safety net, allowing transfers of data from the EU to UK to continue without restriction for four months whilst the EU considers the UK’s application for adequacy. This bridge contained within the TCA will provide a legally robust mechanism that can give UK organisations confidence to continue digital trade in the coming months. The EU has committed (in a Declaration alongside the TCA) to consider the UK’s adequacy application promptly. The UK government is taking the lead on that process, with the ICO providing independent regulatory advice when appropriate. The ICO says that it will publish more details in due course as the outcome of the adequacy process becomes clear.
While waiting for an adequacy decision, any new UK adequacy regulations, standard contractual clauses or ICO approvals of international transfer mechanisms, must be put before the EU–UK Partnership Council (the PC). Further, the UK must notify the PC, as far as reasonably possible, of any new international agreement between public authorities for international transfers. If any UK public authority intends to enter into such an agreement, it should notify the DCMS.
The ICO also points out that there is no guarantee that the EU will grant the UK an adequacy decision and businesses should continue to take sensible precautions for any eventuality.
The blog post also considers law enforcement provisions in the TCA. Part three of the TCA sets out detailed provisions allowing data sharing for law enforcement. It includes arrangements for the transfer of DNA data, fingerprints, palm vein, vehicle registrations and Passenger Name Record (PNR) data. It also allows for the UK to access data from EUROPOL and EUROJUST. Part three also contains important commitments to key elements of data protection and for the ICO to be consulted about data protection assessments related to PNR data.