Greetings from Brussels!

The Belgian Data Protection Authority by all accounts seems to be particularly active of late on the European landscape. You may recall earlier in October I wrote about their appearance before the CJEU seeking guidance on Facebook’s challenge to its territorial competence regarding tracking of Belgian users through social plug-ins.

Two weeks on, and the Belgian DPA is once again in the spotlight with an explosive investigatory report. The investigation, the outcome of numerous complaints, is aimed at the ‘Transparency & Consent Framework’ standard designed by ad technology industry body IAB Europe. The DPA findings conclude that the online marketing standard against which companies collect and share profile data with a view to offering personalized advertising runs contrary to several provisions of the GDPR. There were recent articles on this in both the WSJ and Tech Crunch. This is an initial report by the Belgian DPA, not a final decision or judgment, but it could have far reaching implications for the entire online marketing world and the way in which personalized ads are displayed and consumed by website users.

For background, the TCF was launched back in April 2018, as the ad industry’s answer to the GDPR. The aim of the framework was designed to facilitate the digital advertising ecosystem — at large — with its GDPR and ePrivacy Directive compliance obligations. It’s a framework that has been widely adopted, including by Google. According to some, the framework is not performing in adherence to EU data laws, and there are no less than 22 organizations and individuals from across 16 EU member states that have lodged complaints with the Belgian DPA; notably, a good number of those organizations are privacy advocacy groups.

The focus of the complaints is largely centered around the real-time bidding component of the advertising standards system and whether the high-velocity personal data trading practice is compatible with EU law. According to the complainants, IAB's framework allows companies to exchange sensitive information about individuals without their permission: The DPA report states that the “TCF does not provide adequate rules for the processing of special categories of personal data,” such as health information, political affiliation, sexual orientation — and yet it processes such sensitive data.

You may be asking yourself why Belgium is taking a lead in this matter? Well, the main reason is due to the fact that the TCF was implemented by the industry association IAB whose Europe arm and headquarters happen to be in Brussels. This makes the Belgian DPA competent in its jurisdictional claim over the group. The DPA’s legal interpretation of the situation is that the IAB is de facto a data controller with respect to those member companies that implement its framework.

In its own statement, the IAB respectfully disagrees with the DPA’s interpretation of the law, pursuant to which IAB Europe is a data controller in the context of publishers’ implementation of the TCF. IAB Europe added further that the TCF consists of a minimal set of best practices covering adequate transparency and choice and that the voluntary standard is not designed to “replace legal obligations nor enable practices prohibited under the law.” On the other hand, though, if the Belgian regulatory position were to be supported by other EU regulators or in any forthcoming legal ruling, the Belgian DPA would have authority over how companies across the EU conduct advertising online. To date, there are more than 500 vendors and seventy consent management platforms that have adopted the TCF version 2.0 as launched in August 2020.

The all-important question that arises here is who is ultimately responsible for the activities that result from the framework, as well as legal compliance. In its reaction, IAB Europe is clear in its position that it considers itself purely as the supplier of the standard and not as a data controller. The complaints and the provisional investigation by the DPA do not appear to follow this reasoning. The Belgian DPA Inspectorate Service has forwarded its findings to the DPA Litigation Chamber, and both the complainants and the IAB will be heard further. After that, action will be taken in early 2021.