Open Rights Group is taking the ICO to court over the regulator’s failure to stop unlawful practices by the AdTech industry

In an unprecedented move, the Privacy Campaigners at the Open Rights Group (ORG) have today announced that they are taking the UK’s privacy regulator, the Information Commissioner’s Office (ICO) to court over the regulator’s failure to stop unlawful practices by the Digital Advertising Technology (AdTech) industry.

A complaint was made in September 2018 by Jim Killock and Dr Michael Veale to the ICO about the systemic breaches of the GDPR by the AdTech industry, focusing on the role of the IAB (Interactive Advertising Bureau), a trade industry body as the rule setter.

The ICO’s investigation which was concluded in June 2019 found the AdTech industry to be in breach of the GDPR with widespread and systemic problems with industry practices such as collecting and sharing people’s browsing history without any control over who ends up accessing such personal information.

However, despite founding unlawful practices, the ICO decided to close the investigation in September 2020 without taking any substantive action. The ICO had also ‘paused’ enforcement during the first COVID lockdown.

The co-complainants (Jim Killock and Dr Michael Veale) are now taking the regulator to court over its refusal to take substantive action against what their own investigation concluded were very serious and extensive unlawful practices.

Jim Killock, Executive Director of the Open Rights Group and one of the two complainants, said:

“The AdTech industry has driven a coach and horses through the GDPR and the ICO’s own investigation has highlighted widespread systemic abuses in the AdTech industry practices. But instead of taking action against, it has decided to close the investigation. We are determined to ensure that the law is enforced even when the regulator can’t be bothered to protect our rights and liberties.”

Dr Michael Veale, an academic at the University College London (UCL) who sits on the Advisory Council of the Open Rights Group and is a co-complainant against the AdTech industry to the ICO, said:

“The ICO is expected to protect individuals against complex misuses of their sensitive data by entire industries acting outside the law, not just the simple, low-hanging fruit it can easily enforce against. This lawsuit is about stopping the ICO sweeping the most difficult cases under the carpet. Adtech isn’t simple — but dealing with illegal adtech is the ICO’s job.”

Ravi Naik, Legal Director of the data rights agency AWO who is instructed to act on behalf of the complainants, said: 

“Our clients simply want to the ICO to act to prevent widespread and systemic abuses of human rights; abuses that the ICO has acknowledged occur. Rather than take steps to address those problems, the ICO have acted against our clients and closed their complaints because our clients asked them to take action. This appalling state of affairs has left our clients with little option than to take the Commissioner to the Tribunal. That the Commissioner is being taken to the Tribunal because of a refusal to act to protect our rights speaks volumes of the Commissioner’s record.

“Our clients seek no more than the protection of our rights. Why the Commissioner is refusing to act to protect us all is a matter they will have to justify to the Tribunal.”

Source: ORG

Photo by Andre Hunter on Unsplash

Share on facebook
Share on linkedin
Share on twitter
Share on pinterest
Share on print
Share on email

Latest Blog Posts

dpa gdpr

Data Protection Authorities (DPA)

Data Protection Authorities (DPA) Data Protection Authorities (DPA) are independent public authorities that supervise, through investigative and corrective powers, the application of the GDPR. They

Read More »

Zpracovává vaše společnost osobní údaje?

Zpracovávat vaše společnost osobní údaje fyzických osob, jako jsou:

  • Údaje zaměstnanců, zákazníků, uchazečů o zaměstnání nebo pacientů včetně:
    • Jméno nebo osobní identifikační číslo
    • Kontaktní údaje (e-mailová adresa, telefonní číslo, adresa)
    • Bankovní údaje, plat, údaje o pasu nebo jiné osobní údaje


Ar Jūsų įmonė renka ir tvarko fizinių asmenų asmens duomenis? 

Asmens duomenys gali būti:

  • Kliento, darbuotojo. paciento, kandidato į darbo vietą ir kt. 
    • Vardas ar asmens  numeris 
    • Kontaktinė informacija (el.pašto adresas, telefono numeris, adresas ir kt)
    • Banko sąskaitos  duomenys, atlyginimo dydis, paso duomenys ar bet kokia kita asmeninė informacija. 

Onko yrityksessäsi enemmän, kuin 250 työntekijää?

Kas teie ettevõte kogub ja töötleb isikuandmeid?

Kas teie ettevõte kogub ja töötleb füüsiliste isikutega seotud andmeid nagu näiteks:

Töötajate, klientide, tööle kandideerijate, patsientide:

  • Nimi, isikukood
  • E-posti aadress, telefoninumber, kodune aadress
  • Pangakontonumber, palgasumma, krediitkaardiandmed või mõnda muut tüüpi isiklikud andmed

Does your company collect any personal data?

Does your company collect and process any personal data of natural persons such as:

  • Employees, Customers, Job Applicants or Patients including:
    • Name or personal ID number
    • Contact details (Email address, Phone number, Address)
    • Bank details, Salary amounts, Passport details or any other personal data