Interviews, insight & analysis on digital media & marketing

Ross Webster: Understanding the ICO’s shifting focus is crucial to the digital industry

Ross Webster is a consultant at The Lucid Privacy Group and NDA’s new monthly columnist.   Lucid provides practical privacy advice and solutions to global enterprises. Previously, Ross held European MD roles at The Weather Company and Foursquare. 

The UK’s Data Protection Agency, the ICO, recently served TikTok with a ‘notice of intent’ regarding a possible £27 million fine.

The ICO’s view is that TikTok processed the data of children under the age of 13 without parental consent, processed sensitive data without sufficient legal grounds to do so, and failed to provide proper information to its users in a “concise, transparent and easily understood way.”

Althoughit is not unusual for us to read about European regulators whacking big fines onto Big Tech, the UK’s ICO has previously just ‘talked the talk’ rather than ‘walked the walk’ in their prosecution of digital privacy contraventions.

The proposed TikTok fine is too small to make any material impact on a business that generated an estimated $4.6 billion revenue in 2021. However, it could indicate that the UK regulator might be getting serious about punishing digital businesses who flaunt the law online.  

The story gives an interesting insight into a few moving parts within the current UK digital world, including the potential shifting of focus by the ICO.

In February 2019, the ICO announced an investigation into the privacy implications of Real-Time Bidding (RTB). Many readers here no doubt sat in AdTech conferences in recent years and listened to Simon McDougall (Ex-ICO Deputy Commissioner of Regulatory Innovation & Technology) relay the ICO’s opinion that the industry ‘appears immature in its understanding of data protection requirements’ and declare the ICO’s commitment to cleaning up RTB.

Although the ICO’s investigation was paused during the pandemic, the ICO signaled that it was starting its investigation again in May 2021. However, since then, the ICO, (barring their support of the CMA’s work with the Google Privacy Sandbox), has been very quiet.

Despite carrying out investigations and closing out on complaints within adtech, holding two RTB stakeholder events and writing various reports there has been a total lack of any proper enforcement by the ICO.

Many might have questions concerning whether the nature of the TikTok fine indicates that the ICO is shifting away from investigating contraventions in AdTech and turning the focus onto more tangible online harms.  They have said it has six active investigations into companies who haven’t, in their view, adequately assumed their responsibilities regarding children’s online safety.

The ICO has always stated that they will only prosecute the most serious cases.  In their Regulatory Action Policy, they affirm that they ‘will reserve our powers for the most serious cases, representing the most severe breaches of information rights obligations. These will typically involve willful, deliberate, or negligent acts, or repeated breaches of information rights obligations, causing harm or damage to individuals.’  So, we can conclude that the ICO does not deem RTB contraventions meet that benchmark.

This could be driven by a change in priorities from the ICO leadership. In January, we saw the arrival of a new Commissioner, John Edwards, and the departure of the previous Commissioners Elizabeth Denham and Simon McDougall. Edwards has stated that “we all want children to be able to learn and experience the digital world, but with proper data privacy protections.”

We are seeing a global trend focusing on children’s online privacy.  California has passed ‘The Kids Code’; New York has proposed a similar bill, and the EU’s Digital Services Act includes a few measures such as recognising the rights of the child and a ban on targeted advertising aimed at children.

This shift in focus of the ICO also markedly overlaps with political change in Post Brexit UK.  Michelle Donelan’s (the new Minister of Digital, Culture, Sport and Media) recent speech at Conservative Party Conference certainly moved the focus from enforcing bureaucratic GDPR implementation, onto online harms and children.  The Minister confirmed an ideological switch from the protection of personal data towards increased and wider use and sharing of data to promote business.

It seems the ICO has determined that there are bigger dangers on the internet to children’s safety than the use of cookies and online tracking to serve ads.  Although RTB is described by some privacy advocates as “the biggest data breach ever recorded,the risk to children is arguably a far more important priority.