Data regulators are going to need a bigger boat

Research by law firm Osborne Clarke has found that only five of the 27 European Union member states currently have an established body ready to regulate the use of personal data in behaviourally targeted online advertising. A further four could be ready in 18 months, but the other 18 have made no preparation.

The reason this could prove important is that, on 4 February, the UK’s Advertising Standards Authority takes up the complex task of regulating online behavioural advertising (OBA), and when it receives complaints that apply to companies in other countries, the ASA is supposed to be able to refer the cases to its international counterparts.

But if the company serving the ad is based elsewhere in Europe than the UK, Germany, Italy, Sweden or Finland, there’s a chance there won’t be anyone on the other end of the line to take the ASA’s call.

Being an organisation that usually shows good common sense, the ASA is likely to find a way to deal with such occurrences. But there’s a wider point here about data regulation overall.

EU legislators have grand ambitions to give consumers control over commercial use of their data, which they have already demonstrated by compelling companies to get consent before they can track people’s online behaviour with cookies. Next comes a wider-ranging, stricter law that covers data protection in general, which is likely to come in during 2014.

But the bodies appointed to take care of these issues and others relating to personal data – either by governments or by industry, as in the case of the ASA – don’t appear to be scaling up to the degree that suggests the people funding them appreciate the potential size of their tasks. The ASA is taking on extra staff, but theoretically at least, every targeted ad impression served on the internet in this country could be subject to a complaint.

The ASA has already undergone one extension of its remit in the past two years, stretching itself to cover marketing on brands’ own websites, which weren’t previously regulated. Six months later it admitted it had received complaints “substantially above our forecasts”. Now it will be pulled in yet another direction as it oversees the way OBA is delivered.

Being the ad industry’s self-regulatory body, the ASA isn’t there to enforce laws, but its purpose is undoubtedly to ensure that companies are geared up for what’s required by them. The ASA will almost certainly have to adapt itself yet again when the EU’s new data protection regulation comes into force.

And then there’s the question of governmental bodies. The Information Commissioner’s Office is currently responsible for taking legal action in areas such as data protection and cookie consent, but appears to have a very tough set of tasks that require too much prioritising.

However sensibly they approach their jobs, regulating the internet is a job that is exponentially bigger than what these bodies have been asked to do before. If industry and governments are serious about making data regulation effective and empowering consumers, they need to increase their funding accordingly.