As data protection becomes an increasingly global conversation, businesses are having to familiarize themselves with a growing list of international data protection authorities and government departments. One of them is the U.K.’s ICO.
ICO stands for Information Commissioner’s Office (not — as commonly misinterpreted outside the U.K. — for the cryptocurrency-related term Initial Coin Offering) and is the U.K.’s lead data protection authority. To date, its importance has been understood predominantly in the U.K., but with the U.S. and other countries adopting similar laws to the General Data Protection Regulation, that needs to change quickly.
WTF is the ICO?
The ICO can be considered the U.K. equivalent of the Federal Trade Commission’s Bureau of Consumer Protection. With over 700 employees, the ICO is one of the biggest and best-resourced data protection authorities in Europe, alongside Germany’s. It is the official body designated to rule whether a business is in breach of the EU’s General Data Protection Regulation in the U.K. market. It has the power to issue any business it deems in breach of the GDPR with financial penalties of up to €20 million ($23 million) or 4% of a company’s annual revenue (whichever is higher). It has already fined numerous digital businesses for misuse of consumer data.
So, the ICO is basically the same as the FTC?
Not really. Like the ICO in the U.K., the FTC is the de facto privacy regulator in the U.S. But the legal frameworks each body enforces are very different. The U.K. has stronger laws, particularly with GDPR, yet the FTC has been a more active enforcer to date — and has issued larger fines. The FTC’s largest privacy-focused penalty to date was the $22.5 million fine levied at Google for its circumvention of Safari consumer privacy settings in 2012.
Why is the ICO a worry for ad tech?
The ICO sets the bar for how strictly it will enforce GDPR. Just over a year has passed since GDPR was enforced last May, and the ICO has been quietly investigating the ad tech sector’s application of the law. So far, it hasn’t liked what it has seen. On June 20, it issued a report intended as a warning to ad tech to clean up its act. It outlined several areas in which ad tech should not be operating specifically within the area of how personal data is used within programmatic advertising’s real-time-bidding methods, which take place on the open exchange.
Why is this relevant for the U.S. market if it’s a U.K. regulator?
It is likely that given the size and resources of the ICO among Europe’s data protection authorities, privacy activists in the U.S. will seize on this document as a tool with which to further strengthen their lobbying for more data privacy scrutiny in the U.S. “That document is 100% going to be part of the dialogue in the U.S.,” said Brian Kane, co-founder of U.S. ad tech firm Sourcepoint. “Its analysis is not European — it is around the technological framework [of programmatic advertising,] which is global by design. It will be mimicked and reproduced and introduced as part of the conversation in the U.S.”
But for now, the ICO is more of a worry for ad tech companies in Europe, right?
Wrong. GDPR may once have been a Europe-only problem, but its tentacles have since stretched far outside of Europe. In the U.S., California has passed its own equivalent to the California Consumer Privacy Act, due to roll out in 2020. New York and Washington State are exploring their own alternatives, and the state of Nevada has just launched its own version. U.S. Congress is already discussing whether or not to implement a federal rather than state-by-state law. Last year, several ad tech vendors like Drawbridge and Verve exited Europe citing GDPR as their prime reason, only to be hit with the CCPA, which they have no choice but to comply with, according to ad tech sources. The ICO does have the right to make cases against any U.S. company that has services in Europe, regardless of where their ad servers are based. Although it is yet to enforce that.
Has the ICO fined a global company yet, or just domestic?
The ICO has already sought to issue Facebook with a maximum punishment for its part in the Cambridge Analytica scandal. Granted the fine given was only £500,000 ($635,000) — a sum that can be easily dismissed as a drop in the ocean for the social platform. The ICO was criticized for this. But the core point that gets overlooked is that the ICO would have had the power to fine up to 4% of Facebook’s annual revenue, had the investigation taken place after the arrival of GDPR, where maximum fines can be up to 4% of a company’s annual revenue. For Facebook, that would be into the billions. The ICO was clear that had it been able to investigate post-GDPR, the fine would have been far closer to that maximum penalty.
Last March, the British Parliament also granted the ICO the power to raid Cambridge Analytica’s offices and examine its records. A couple of months later, the ICO ordered Cambridge Analytica to hand over all data and information it held on David Carroll — a U.S. citizen and associate professor at Parsons School of Design in New York — who had previously been denied access by the company. That legal decision paved the way for millions of other American voters to request their data back from the firm under British Protection laws. Carroll wasn’t able to obtain the information under U.S. law.
“The ICO is one of the largest, if not the largest DPA in Europe — their perspective matters,” said Jason Kint, CEO of U.S. publisher trade body Digital Content Next. “They have significant resources in terms of investigators and attorneys, and their experience on the Facebook investigation also makes them very informed.”
Are there individual commissioners we should watch?
By now, most in the media and advertising industries in the U.S. will be familiar with Danish politician Margrethe Vestager, the lead commissioner for the European Commission who has brought significant antitrust fines against Google owner Alphabet and has also issued major fines to Apple and Amazon for unpaid taxes in 2017. But other ones to watch are the ICO’s chief commissioner Elizabeth Denham, who is the former data privacy commissioner for Canada, the face of GDPR and led the Cambridge Analytica U.K. investigation. Her counterpart at the Irish DPA Helen Dixon is another one to watch.
Why is the Irish DPA important to know about too?
The Irish DPA may not match the size and resources or profile of the ICO, but that is likely to change. That is because Facebook’s and Google’s official European headquarters are in Ireland, and that means that their allocated lead authority for GDPR is the Irish DPA, not the ICO, nor the French DPA CNIL which has already sought to fine Google €50 million ($57 million) for violating GDPR. The Irish DPA now has dozens of investigations underway into businesses, including Facebook and Google. Its verdicts, and the line taken by its chief commissioner Helen Dixon, will have ramifications on the entire global ad tech market.