IAB Europe Considers Legal Action After Fine for Breaching GDPR Rules

IAB Europe is considering legal action having been fined $283,000 (250 thousand euros) by the Belgian Data Protection Authority after it was found that the Transparency and Consent Framework (TCF) it had developed failed to comply with GDPR measures. The TCF investigation followed a complaint from the Irish Council of Civil Liberties (ICCL) which claimed that the platform, which used pop-up ads to convey consent around the use of user’s data, failed to comply with GDPR guidance. The TCF is an industry mechanism that conveys consent in the open ad exchange bidstream through using pop-up ads on sites. The complaint claimed that “these popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.” The industry body has been given two months to present its action plan to bring its site into compliance. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. IAB Europe The investigation took place after the Belgian DPA received complaints in 2019 around its reliance on the OpenRTB Protocol which focuses on real-time bidding and the automated use of user-profiles within online auctions to display personalized relevant ads when buying and selling inventory online. The preferences are collected from the user and then coded and stored in a “TC string”, which is shared with partner organizations in the OpenRTB system and by placing a cookie on the user’s device linked to their IP address. The investigation's findings Following its investigation, The DPA ruled that IAB Europe had “failed to establish a legal basis for the processing of the TC String, and the legal grounds offered by the TCF for the subsequent processing by ad tech vendors are inadequate.” It also claims a lack of transparency in the information provided to users which it described as “vague” and “generic” and that it failed to meet data protection principles “by default” and there was also found to have been “a failure to keep a register of processing activities.” Stop Stalking Consumers and Earn Their Attention Instead In a statement, Hielke Hijmans, chairman of the Litigation Chamber of the BE DPA, said that the processing of personal data under the TCF was “incompatible” with GDPR due to “an inherent breach of the principle of fairness and lawfulness.” He continued: “People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalized ads. Although it concerns the TCF, and not the whole RTB system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.” In response, IAB Europe issued a statement that acknowledged the decision but also highlighted that it had not prohibited the TCF itself as the complainants had requested. “We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge,” the organization continued. “Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market. As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin," the statement ended. As GDPR Rocks the EU Ad-Tech World, Vendors Must Learn to Adapt