IAB Europe Set For GDPR Infringement Ruling Via Belgium APD

Data regulation in Europe could be about to get a whole lot more complex. On Friday, ad trade body the Interactive Advertising Bureau (IAB) Europe shared updates that Belgium’s data protection authority (APD) will likely find the trade body in breach of General Data Protection Regulations (GDPR). At the heart of the matter is whether IAB Europe is classed as a data controller, which means that it determines the means of use of personal data, as opposed to a data processor, which does not own the information it collects. The investigation is based on the Irish Council of Civil Liberties' (ICCL) complaints which focus on the IAB Europe’s Transparency & Consent Framework (TCF), the industry mechanism which conveys consent in the open ad exchange bidstream through using pop-up ads on sites. It claims that “these popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.” Latest EU Privacy Lawsuit Threatens the Digital Ad Industry as We Know It An investigation will be shared later this month with Europe's other DPAs. Those regulators will have 30 days to review before Belgium's own regulators adopt a final ruling or refer to the independent body European Data Protection Board. Should the ruling go unchallenged, IAB Europe will have six months to change its framework to comply with ADP. The latter could potentially adopt its own framework if it's not satisfied with the results. The verdict could also create a standard in which all trade bodies be recognized as "data controllers" too. Too many grey areas Claiming that TCF could be ruled as GDPR non-compliant "doesn't come as a surprise," said GumGum EMEA's svp of sales Peter Wallace. Wallace noted that the regulation wasn't created to handle the complexities of data advertising, adding that the various data signals consent pop-ups send were "always a grey area." "The mechanic of consent was, however, the simplest way to move forward while trying to maintain some level of user experience," he said. "Yet again, this will highlight the fact that GDPR creates too many grey areas, it’s spread across multiple stakeholders and doesn’t allow for swift action to be taken," Wallace said. "A number of years down the line and it still feels like there needs to be a re-work and streamlining of the regulation, making things clearer and more actionable." Others agree that the current system of pop-up consent banners is no longer fit for purpose. The TCF "is not fit for the future of online advertising" in its current form and that pop-up consent banners are "a band-aid to a system that fell ill a long time ago," said Ilhan Zengin, CEO at video ad platform ShowHeroes Group. "Third-party cookies as a technical means to support online advertising activity are a dying breed. The legal issues that are under examination now are unnerving and may lead to the collapse of this system at some point," he added. "While the judiciary process will certainly drag on for many months, players in the media ecosystem should take this opportunity and deepen their understanding about the core of the issue." The IAB does not consider itself a controller IAB Europe released a statement stating it is ready to work with other industry bodies to comply with EU Law requirements once the judgment was finalized. “Based on guidance from other DPAs up to now and the fact that IAB Europe does not in any way process, own, or decide on the use of specific TC Strings, as well as relevant case law and its own interpretation of the GDPR, IAB Europe has not considered itself to be a data controller in the context of the TCF. Therefore, it has naturally not fulfilled certain obligations that accrue to data controllers under the Regulation,” it added. Jon Mew, chief executive of IAB UK also released a statement relaying fears among the membership. He described TCF as “a valid and compliant cross-industry resource” and that it had been “conceptually approved” by the DPA. “While the APD’s decision does not directly apply to the U.K. post-Brexit, it’s crucial that the TCF continues to function seamlessly across borders. We’ll be working closely with IAB Europe to understand and communicate to our members any future changes to IAB Europe’s management of the TCF, as they are agreed with the APD,” he added. First-Party Data Is the New Arms Race for Advertisers

Programmatic

IAB Europe on the Hook for GDPR Infringement Over Pop-Up Consent Banner Use

Organization could have six months to change its framework

Stephen Lepitak

About

Subscriptions

Events

Publications

WORK SMARTER - LEARN, GROW AND BE INSPIRED.

Subscribe today!

Stephen Lepitak