On 2 February 2022, the Belgian Data Protection Authority found that the transparency and consent framework developed by the Interactive Advertising Bureau Europe (IAB Europe) does not comply with GDPR and imposed a fine of EUR 250’000.00 on the company as well as coercive measures. If you work in marketing or even just use the widespread mechanism of IAB Europe, check out our article on the reasoning of the Belgian Data Protection Authority to find out what to do to avoid a fine yourself.
Background of the case
Many companies use the OpenRTB protocol for real-time bidding, which is the immediate automated online auction of user profiles for the sale of advertising space on the internet. In practice, when a user accesses a website or application that has advertising space, companies can bid on that advertising space at the very moment that the user accesses the website through an automated auction system that uses algorithms. This process results in the user seeing advertising specifically tailored to the user’s profile. Real-time bidding takes place on most commercial websites and mobile apps.
For real-time bidding, a user’s preferences must be captured. This usually happens when a user visits a website or an application for the first time and an interface or a consent management platform pops up where users can consent or object to certain types of processing activities. IAB Europe developed a so-called transparency and consent framework (TCF) to facilitate the capture of user preferences and to help companies that rely on the OpenRTB protocol with the compliance challenges resulting from the European General Data Protection Regulation (GDPR) and the ePrivacy Directive (cf. MLL-News 17.9.2019) . Ultimately, the TCF is the online expression of a website or application users’ preferences about potential vendors and processing purposes that include the offering of tailor-made advertisements. These preferences are expressed by sending a TC string to organisations participating in the OpenRTB protocol.
According to the Belgian Data Protection Authority, they have received several complaints since 2019 about IAB Europe, claiming that the TCF is not in conformity with GDPR. These complaints have resulted in an investigation. The Belgian Data Protection Authority first prepared a draft decision that was examined within the cooperation mechanism of the GDPR. The draft decision underwent quite some scrutiny and received two objections from other EU member states, which were incorporated in the second draft decision. The second draft decision was approved by all concerned authorities representing almost all member states of the European Economic Area. This underscores the importance that must be given to this decision. The consultation process resulted in the final decision of the Belgian Data Protection Authority, which finds that IAB Europe violates GDPR with its TCF.
It appears that this legal story has not yet reached its conclusion as IAB Europe confirmed on 11 February 2022 that it will appeal this decision. IAB Europe also confirmed on 1 April 2022 that it had submitted the action plan required by the Belgian Data Protection Authority in its decision. The press release by IAB Europe clarified that they considered the submission of this action plan to be a key milestone in enabling a version of the TCF that includes a broader compliance functionality to be rolled out under the supervision of the Belgian Data Protection Authority. IAB Europe noted that submitting the action plan will not change its decision to appeal.
Main findings of the case
The decision of the Belgian Data Protection Authority entailed several interesting findings. Some of which we take a closer look at in the following sections.
Controller or processor?
Under GDPR a data processor may have three different roles. These roles are that of a controller, a processor or a joint controller. As a quick brush-up, a controller is a person who alone or jointly with others determines the purposes and means of processing of personal data whereas a processor is a person that processes personal data on behalf of the controller (art. 4 (7) and (8) GDPR). Depending on the role allocation, GDPR provides for different rights and obligations.
IAB Europe considered itself to be a processor, which was an opinion that was not shared by the supervisory authority. In its decision, the supervisory authority considers IAB Europe to be a joint controller with other data controllers implementing the TCF and relying on the OpenRTB protocol, such as publishers, consent management platforms and adtech vendors. The Belgian Data Protection Authority also stated that IAB Europe imposes binding rules on the organisations participating in the TCF, thereby acting as a managing organisation. Furthermore, the supervisory authority holds that because of these binding rules relating to the processing of personal data, IAB Europe as the managing organisation, must be qualified as a data controller. In addition, the TCF generates TC strings to capture the preferences of users. These TC strings are qualified as personal data by the Belgian Data Protection Authority, thereby backing up its argument that IAB Europe is a data controller.
Despite the decision, IAB Europe maintains that it is a processor relating to the mentioned processing operations and will make this argument one of the main pillars of its appeal. IAB Europe argues that it is not a data controller because it does not own, process or decide on the use of specific TC strings and does not act as the managing organisation of the participants in the TCF. Also, IAB Europe argues that the mere fact that consent management platforms may link an IP address to a TC string does not render the TC string personal data. The TC string contains the information or the signal of whether or not a user originally consented or objected to the processing purposes on the website and is then shared with the organisations participating in the OpenRTB so they know if they can bid for targeted online marketing. IAB Europe maintains that the TC string merely contains technical information, namely the preferences of a user but no unique identifier (e.g. the IP address). Based on this IAB Europe argues that it is not a data processor.
The decision highlights the difficulty of role allocation under GDPR when deep technical knowledge is necessary to understand the processing operations as well as the need to put a focus on the role allocation when starting a GDPR compliance project.
Is IAB Europe acting in compliance with GDPR?
Resulting from the above-explained change in the role allocation by IAB Europe and the technical setup of the TCF, the Belgian Data Protection Authority found that IAB Europe failed to establish a legal basis for the processing as well as an adequate legal basis for the subsequent processing by adtech vendors.
Moreover, this resulted in an infringement of other obligations of a controller that processes personal data on a large scale as it had failed to keep a register of processing activities, appoint a DPO and conduct a data protection impact assessment.
The supervisory authority also found that the information provided to users was insufficient as it did not explain the nature and scope of processing in a manner that users could understand, in particular, due to the complexity of the processing operation. The authority argued that this results in the users not being able to maintain control over their data.
Additionally, the supervisory authority decided that IAB Europe failed to comply with the obligations of accountability, security and data protection by design and by default due to the absence of technical and organisational measures. The authority also found that IAB Europe did not ensure the effective exercise of data subject rights. Under this title, the data protection authority also found that the compliance of the TCF with GDPR cannot be adequately warranted or demonstrated, in particular, because of the lack of a monitoring possibility regarding the validity and the integrity of the choices made by the users.
What are the consequences of the findings of the Belgian Data Protection Authority?
Based on these findings, the Belgian Data Protection Authority imposed on IAB Europe a fine of EUR 250’000.00 and the obligation to undertake corrective measures. These measures included the establishment of a valid legal basis for the processing and sharing of users’ preferences within the TCF. In this regard, the Belgian Data Protection Authority also made it clear that the legal basis of legitimate interest is prohibited for the processing of personal data by an organisation that participates in the TCF. Moreover, it included the obligation to strictly vet all participating organisations to ensure that these organisations meet their GDPR requirements. The Belgian Data Protection Authority also required the deletion of personal data already being processed under the TCF system.
Impact of the case on your business
The decision is likely to have a lasting impact on the adtech industry because this industry has widely worked with the TCF. In fact, many adtech companies that are dependent on the TCF may have to reconsider their GDPR compliance completely. This being said, IAB Europe is of the opinion that businesses can still use the TCF.
Nonetheless, we strongly recommend all businesses using the TCF assess the situation and, once developed under the supervision of the Belgian Data Protection authority, consider implementing the updated version of the TCF.
The decision also highlights the importance of a correct role allocation and implementation as well as the capacity to demonstrate the implementation of GDPR obligations within an organisation. Moreover, the Data Protection Authorities› arguments for role allocation may become relevant for all standard-setting bodies or other managing organisations because they too may be considered joint controllers in the future. Continuing this train of thought to its logical conclusion, the same argument may even be applied to a group of companies with one entity in the group setting binding rules for its affiliates.