On 2 February 2022, the Belgian Data Protection Authority (the BDPA) fined IAB Europe for various infringements in relation to the IAB Transparency and Consent Framework. This decision could have a huge impact on the majority of players in the online adtech ecosystem who rely on the framework.
The Interactive Advertising Bureau Europe’s (IAB) Transparency & Consent Framework (TCF) has been in widespread use in the digital advertising industry (Adtech) and, in particular, since v2.0 was announced on 21 August 2019.
Since the inception of v2.0 of the TCF in 2019, however, various EU data protection authorities have received numerous complaints from organisations across the EU in respect of the use of personal data in the RTB component of programmatic advertising. Since then, the Belgian Data Protection Authority (BDPA) has taken on the lead role of investigating the TCF’s conformity with the GDPR.
On 2 February 2022, the Litigation Chamber of the BDPA concluded, in agreement with 27 other EU data protection authorities, that IAB was acting as a data controller in regards to registering user consent signals, choices and preferences via signal strings, as they could be linked to an identifiable user. Accordingly, it found that IAB could be found responsible for the following GDPR infringements:
- IAB had failed to establish a legal basis for the processing of signal strings;
- the legal grounds being offered by the TCF for vendors to process signal strings were inadequate;
- the information being provided to users through CMPs was too generic and vague in respect of the nature and scope of the processing, making it difficult for users to maintain control over their personal data;
- IAB had failed to implement organisational and technical measures that were in accordance with the principle of data protection by design and default, including to ensure the exercise of data subject rights and to monitor the integrity and validity of users’ preferences and choices; and
- IAB had failed to appoint a data protection officer, maintain a register of its own internal data processing activities and conduct a data protection impact assessment.
The BDPA imposed an administrative fine of EUR 250,000 on IAB and ordered it to make a corrective action plan within two months, which is to cover:
- stricter vetting of organisations participating in the TCF to ensure greater GDPR compliance;
- the permanent deletion of personal data already being processed under the TCF system;
- establishing a valid legal basis for the processing and dissemination of personal data via signal strings; and
- prohibiting organisations participating in the TCF to use legitimate interest as a basis for the processing.
The BDPA has given the IAB a maximum period of six months to bring the TCF in line with the provisions of the GDPR.
The IAB published its response to the decision by way of a statement and FAQs. Firstly, it is at pains to stress that the decision relates primarily to IAB Europe and its controllership over TC Strings and that it is not a ruling on the validity of the TCF per se. In relation to the points raised, the IAB disagrees that it is a data controller of any personal data in the signal strings as it does not own, process or decide on the use of specific signal strings. The IAB rejects the notion that a signal string is personal data just because it would be possible for CMPs to link an IP address to a TC String via an Internet Service Provider. The IAB argues this reasoning given by the BDPA is based on legal decisions that have been given in a very different context. Further, in regards to the decision that legitimate interest was inadequate as legal grounds for the processing of personal data by TCF participants, the IAB believes the BDPA’s decision lacked clarity as to whether this applies to all TCF-related purposes or only personal advertising and profiling. The IAB says it will look to further discuss these issues, including in any legal challenge, but also stresses its desire to work with the BDPA to make any required amendments to the TCF itself, noting:
“We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.
Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market. As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin.”
Although the fine was relatively minor in GDPR terms, the decision will likely have long-standing, wide-reaching implications for not only IAB, which has now been categorised as a data controller, but also the Adtech industry as a whole. This is because of the widespread use of TCF v2.0 across the Adtech ecosystem, which has been dictated heavily by Google’s participation in TCF v2.0. As such, with so many organisations reliant on the TCF, the Adtech industry may be forced to undergo a significant rethink in terms of its GDPR compliance.