The Belgian Data Protection Authority fined IAB Europe 250,000 euros Wednesday, ruling its Transparency and Consent Framework, used by much of the advertising industry in the European Union, does not comply with several EU General Data Protection Regulation provisions.

Through data processing under the TCF, which “facilitates the management of users’ preferences for online personalised advertising,” the DPA found IAB Europe acts as a data controller and can be held responsible for potential GDPR violations. The authority also ruled IAB Europe did not establish a legal basis for processing and failed to appoint a data protection officer, conduct a data protection impact assessment, or maintain a register of processing activities. The DPA also argued it is difficult for users to “maintain control over their personal data” under the framework, as the information provided is “too generic and vague to allow users to understand the nature and scope of the processing.”

The DPA’s Litigation Chamber imposed “serious sanctions … because the TCF may lead to a loss of control of their personal information by large groups of citizens.” It gave IAB Europe two months to present an action plan that brings the current version of the Transparency and Consent Framework into compliance.

IAB Europe was also ordered to permanently delete personal data already processed in the TCF system “from all its IT systems, files and data carriers, and from the IT systems, files and data carriers of processors contracted by IAB Europe.”

Davis+Gilbert LLP Partner Gary Kibel, CIPP/US, said IAB’s framework is “the engine that drives the industry in the EU,” adding the decision “impacts the ability of the majority of the industry to engage in retargeting.” In ordering deletion of previously processed data, the DPA is essentially saying “the data is fruit from the poisonous tree,” Kibel said.

“So if the moment of initial data collection did not comply with GDPR then when that data is passed on to others in the ecosystem, they are receiving tainted data,” he said.

IAB Europe said it rejects the Belgian DPA’s finding that it is a data controller in the TCF context, adding, “We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry.”

The organization said it is “considering all options with respect to a legal challenge,” while it looks forward to working with the authority “on an action plan.”   

The Belgian DPA’s ruling, made in agreement with 27 other EU data protection authorities, follows complaints stemming from 2019 over the TCF’s GDPR compliance. Irish Council for Civil Liberties Senior Fellow Johnny Ryan said it’s “been a long battle.”

“Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies,” he said.

On the heels of the recent decision from the Austrian Data Protection Authority that the use of Google Analytics violates the GDPR, and news from other authorities on the topic — including Norway’s DPA, Datatilsynet, advising companies to seek alternatives — Head of Cooley’s European Privacy and Data Protection Practice Patrick Van Eecke said the decision highlights that European data protection authorities are using 2022 to “clean the house.”

“In 2022 we have seen some fines and decisions coming in during the past few weeks that are really cutting deep into the data processing practices of not just one company, but a whole industry sector,” he said.

The DPA’s decision that IAB Europe qualifies as a data controller “is a very strong message and warning to service providers to build data processing systems that are GDPR compliant,” Van Eecke said.

“They cannot hide any longer behind the shoulders of their customers, claiming they are a ‘mere processor,’” he said.

The decision presents a challenge for the industry in how to best move forward, Kibel said, pending an appeal and corrective measures by IAB Europe.

“If a ruling came out tomorrow that all bottled water deliveries are illegal, everyone’s going to keep drinking water. But it may make some publishers reassess how they rely upon the TCF program in working with ad tech companies,” he said. “It certainly puts a lot of pressure on IAB Europe to come up with a compliant solution.”

Photo by Chiara Daneluzzi on Unsplash