IAB Europe Fights Belgian DPA GDPR Violation Ruling

IAB Europe has confirmed it will appeal the Belgian Data Protection Authority (DPA’s) administrative ruling that found the IAB Europe’s Transparency & Consent Framework (TCF) violates GDPR. It will appeal to the Belgian Market Court. According to the Belgian Data Protection Authority, the IAB Europe’s Transparency and Consent Framework (TCF) fails to comply with a number of provisions of the GDPR, the European Union’s comprehensive data privacy law.

“IAB Europe is a small trade association that has been creating and iterating on a framework for data protection best practices in continual consultation with the authorities,” Townsend Feehan, IAB Europe CEO, said in a statement. “It cannot have been the intention of the European legislator that a body like ours should bear legal responsibility for the data processing activities of an entire industry. We have no choice but to appeal.”

Belgian DPA’s Findings Against IAB Europe

The Belgian Data Protection Authority administrative ruling’s found that IAB Europe acts as a joint controller for profiling and other data processing done by TCF vendors in the context of OpenRTB. The IAB’s Transparency & Consent Framework, which some organizations use for management of users’ preferences for online personalized advertising, includes the IAB’s OpenRTB protocol, or Real-time Bidding (RTB). With RTB, an individual ad impression is put up for bid in real-time through a programmatic on-the-spot auction.

When a user visits a website or application for the first time, an interface (a Consent Management Platform, or CMP) will pop up where they may consent to the collection and sharing of their personal data, or object to various types of processing based on the legitimate interests of ad tech vendors, according to Belgian DPA officials.

What did the Belgian DPA find? The information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF. Therefore it is difficult for users to maintain control over their personal data, according to the Belgian DPA.

The TCF lacks organizational and technical measures in accordance with the principle of data protection by design and by default, including to ensure the effective exercise of data subject rights as well as to monitor the validity and integrity of the users’ choices. Therefore, the conformity of the TCF with the GDPR is not adequately warranted nor demonstrated.

IAB: Findings Based on ‘Misunderstanding of Facts’

IAB Europe believes appealing is the right decision to avert unintended negative consequences that go well beyond the changes that the DPA wants to see made to the TCF, and which could impact the wider digital advertising industry.

“We believe the controversial ruling that IAB Europe is a data controller for information processed for TCF purposes is based on a misunderstanding of the facts and a misapplication of the law,” Feehan said. “This establishes an irrational legal precedent. It will have the perverse effect of discouraging other standard-setting organizations from investing in instruments that aim to protect users and facilitate the exercise of their rights under the GDPR.” 

IAB Europe officials also noted the DPA has not ordered the IAB Europe to discontinue use of TCF pending its submission of a plan to the DPA.