The UK’s data protection watchdog has responded to Meta’s announcement yesterday that it intends to offer (other) Europeans a free choice to deny its tracking-for-ad-targeting but won’t be asking UK users for their consent to its surveillance — with some, er, pointed remarks.
Take it away Stephen Almond, the Information Commissioner’s Office (ICO)’s executive director of regulatory risk, with this “ICO statement on Meta“:
As a digital regulator, we pay close attention to how companies operate internationally and how people’s rights are respected.
We’re aware of Meta’s plans to seek consent from users for behavioural advertising in the EU, to the exclusion of the UK. This follows related findings by the Court of Justice of the European Union, Irish Data Protection Commission and Norwegian Data Protection Authority.
We are assessing what this means for information rights of people in the UK and considering an appropriate response.
Almond’s carefully worded remarks (“close attention”; “assessing what this means for information rights of people in the UK”, “considering an appropriate response”) suggest the regulator is not best pleased that the adtech giant formerly known as Facebook isn’t intending to give UK users the same level of respect for their data rights as people in the EU, European Economic Area (EEA) and Switzerland are, apparently, set to get soon.
Simply put it looks very awkward indeed for the ICO, and terrible news for UK users stuck in their post-Brexit not-so-sunny-uplands, that Meta has calculated it doesn’t have to offer the same degree of respect for their information as it must for Europeans living elsewhere in the region.
Especially since Meta is doing this at a time when UK data protection law is still based on the pan-EU General Data Protection Regulation (GDPR). (I mean, the UK government’s plan to water down the domestic privacy regime, via touted post-Brexit data “reforms”, hasn’t even made it onto the statute books yet! So, on paper, the privacy regime is the same as it was when the UK was in the EU.)
The specific issue the ICO is facing up to here is that defence of domestic data protection rules now falls squarely on its shoulders — with no protective shielding from the Court of Justice of the EU handing down the last word on how the law must be enforced. Since January 31 2020, when Brexit was fully enacted by the UK government, rulings made by the CJEU don’t apply in UK law. And, notably, Meta has only been moved to — finally — announce its intention to give Europeans a choice to deny its tracking-for-ads in the wake of a major CJEU ruling last month.
That also followed a significant January 2023 GDPR enforcement by EU data protection regulators. And an emergency intervention by Norway last month banning Meta’s behavioral ads locally over the legal basis issue — rather than waiting for Ireland, Meta’s lead regulator, to do it across the whole EU.
The cumulative impact of all these EU procedures has left the tech giant with no lawful basis left to claim under EU law for the data processing it carries out to “personalize” ads — except consent. So there is now momentum behind GDPR enforcement that is having a tangible impact on reforming privacy-hostile business models. But, sadly for people in the UK, it sits outside the EU’s implementation of GDPR. And so… no Meta consent intent for Brits!
The bloc also hasn’t stood still on lawmaking since the UK upped and left. It’s actually been highly active on digital regulations. Including undertaking a major piece of ex ante competition reform, called the Digital Markets Act — which also appears to be giving Meta pause for thought on its ads data processing.
The company’s blog post update yesterday announcing its intention to switch to consent for ads data processing in the EU referenced “a number of evolving and emerging regulatory requirements in the region, notably how our lead data protection regulator in the EU, the Irish Data Protection Commission (DPC), is now interpreting GDPR in light of recent legal rulings, as well as anticipating the entry into force of the Digital Markets Act (DMA)” as informing its decision.
And, well, the DMA doesn’t apply in the UK either. Just as the Irish DPC’s GDPR enforcement and the CJEU’s interpretation of how to apply the GDPR don’t.
Meta switched UK users’ data from falling under its Irish subsidiary to its US entity earlier this year, taking UK users firmly out of EU jurisdiction. That’s Brexit folks! (A ‘Made in the UK’ digital ex ante competition reform also hasn’t made it into domestic law after facing delays as a result of political turmoil in the governing Conservative party in the wake of, er, Brexit… So there’s no UK equivalent to the DMA yet either.)
The even more particular problem for the ICO is it has systematically failed to act on similar complaints about adtech tracking lacking a proper lawful basis for — literally — years.
It was actually sued for inaction back in 2020 over just such a complaint. And even paused its investigation into adtech entirely during the pandemic, saying it didn’t want to saddle the industry with “undue pressure” at such a difficult time.
What about UK users’ rights not to be unlawfully creeped on by advertisers during Covid? The ICO evidently didn’t feel it should press the industry to care about such details back then — or, well, ever since really. So it’s a bit rich for the ICO to suddenly square up to Meta with implicit concerns that Brits’ info rights aren’t being properly respected. Unless this is the regulator’s Damascene conversion moment — on the need to actually enforce against adtech abuses it has itself been critical of for years.
Previously the UK regulator has considered an “appropriate response” to rampant law-breaking by the adtech industry to mean convening a few roundtables where advertising execs were seemingly able to fill the room with hot air about respect for compliance while being allowed to continue lucrative data-mining business as usual as the ICO continued ‘investigating’.
So it’s not clear what action the UK regulator might deem “appropriate” to take against Meta’s if it keeps trampling local users’ rights. Hopefully we’re not going to see another open-ended/neverending investigation.
Technically the UK GDPR allows for penalties for confirmed breaches that can reach as high as 4% of global annual turnover — which, in Meta’s case, could sum to a few billion pounds. But the ICO hasn’t strayed anywhere near the theoretical maximums in the GDPR enforcements it has chalked up to date. So the adtech giant may have decided there’s minimum regulatory risk on UK turf — and set the level of respect for local users’ data accordingly. Ergo: No consent for you, you’re British.
We reached out to the ICO with questions about its historical lack of enforce against adtech’s tracking and profiling, and to ask what specific responses it may consider if Meta continues to provide UK users with a lesser level of data protection than other people in European, but the regulator told us it had nothing more to add beyond Almond’s public remarks.
Meta also declined comment on the ICO’s statement. But its spokesman pointed us back to the section of its blog post we quoted above — where it says its intention to switch to consent in the EU and EEA was taken in response to a number of enforcement decisions by the region’s regulators and courts. So, basically, Meta is making the salient point that its looming switch of lawful basis tracks enforcement action. No enforcement, no switch. Simples!
Of course this also means the ICO does have the power to change how UK users’ rights are treated by Meta or any other adtech entities operating on UK soil. I.e. by actually enforcing UK law on the adtech industry as privacy campaigners have been calling for it to do for years.
Michael Veale, a lecturer in digital rights at the University College London — who was one of the individuals behind the aforementioned complaint about adtech industry practices to the ICO back in 2018, and subsequently took legal action after the regulator closed the complaint a couple of years later without taking a decision — urged the ICO to seize the opportunity it now has to act on its stated concerns for UK users’ rights by regulating adtech giants like Meta directly.
“Since Meta moved its relevant headquarters for UK users from Ireland to the US, the UK is now obliged to regulate the tech firm for itself, not to wait for Ireland. This would be a great time [for the ICO] to show it is ready for these significant new responsibilities,” he told TechCrunch.
“The text of the relevant law applying to Meta is in all relevant ways identical in the EU and the UK. Meta’s choice not to extend the same rights to UK users is it making a calculated decision that privacy enforcement in the UK is weak enough to ignore,” Veale added. “Some of the court judgements do apply to the EU and not the UK, as they were handed down after the end of 2020. But that does not mean that the regulator cannot take clear action using the information provided in the course of these judgements, and on the solid reasoning within them.”