The Belgian Data Protection Authority’s decision on the Transparency and Consent Framework was made to “restore order to the online advertising industry”. If upheld on appeal the decision will affect the entire adtech ecosystem.

TCF violates the GDPR

Belgium’s Data Protection Authority (“DPA”) found on 2 February 2022 that IAB Europe’s Transparency and Consent Framework (“TCF”), which is used across the adtech industry, violated the GDPR. The DPA found that IAB Europe was responsible for the TCF, and gave it two months to develop an action plan to bring the framework into compliance with the GDPR.

The TCF facilitates the management of users’ preferences for online personalised advertising and plays a key role in facilitating real-time bidding. Although the Belgian DPA’s decision focuses exclusively on the TCF and not the real-time bidding system itself, the decision will have widespread implications for the industry because of three key factors:

• Although IAB Europe tried to argue that it does not process any personal data and that it was merely playing the role of facilitator, the Belgian DPA found otherwise. It concluded that IAB Europe, the consent management platforms (“CMPs”), publishers and participating adtech vendors should together be regarded as joint controllers for the collection and dissemination of users’ preferences, objections and consent and for the subsequent processing of their personal data.
• The Belgian DPA has indicated that a draft of the decision was examined by other concerned supervisory authorities within the GDPR one-stop-shop – and that an amended version of the decision “was approved by all concerned authorities representing most of the 30 countries in the European Economic Area”.
• The Belgian DPA stated that “the present decision on the TCF does not directly address deficiencies of the wider OpenRTB framework. However, the [Belgian DPA] does draw attention to the great risks to the fundamental rights and freedoms of the data subjects posed by OpenRTB, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance”.

The violations of the GDPR

The Belgian DPA concluded that IAB Europe’s TCF violates numerous provisions of the GDPR on the following grounds:

1. Failure to properly obtain consent and absence of legitimate interest

The DPA found that IAB Europe did not have a legal basis for the registration of the consent signal, objections and users’ preferences. It said the consent of the data subjects obtained through CMPs was not legally valid, as the proposed processing purposes were not sufficiently clearly described and in some cases were misleading (the DPA flagged, among others, the absence of an overview of the categories of data collected, recipients so numerous that users needed a disproportionate amount of time to read this information, and the withdrawal of consent never being immediate).

The only alternative legal ground that could have been considered here (i.e. legitimate interests) likewise failed, because the TCF processing could not be reasonably expected by data subjects. The DPA also pointed out that no option was offered to users to completely oppose the processing of their preferences, as information (linked to users’ unique User ID through a cookie) was placed on devices regardless of which choice users made. Users were additionally not informed about the cookie placement.

More specifically, the Belgian DPA considered that no balanced legitimate interest for the processing of the data existed in the context of the TCF, as:

• there was a lack of specificity of the stated purposes due to the standard descriptions imposed by the TCF;
• the TCF included no measures to adequately demonstrate that no inappropriate personal data are being disseminated; and
• the TCF processing may not have been reasonably expected by data subjects. The Belgian DPA restated in this respect the position of the European Data Protection Board that “legitimate interest does not constitute a sufficient legal basis in the context of direct marketing involving behavioural advertising”.

The Belgian DPA also considered that IAB Europe did not dispose of a legal basis for the collection and dissemination of personal data in the context of real-time bidding. 

2. Lack of transparency

The Belgian DPA decided that the information provided under the TCF, in its current form, did not comply with the GDPR’s transparency obligations.

The DPA pointed to the fact that the interface offered to users did not allow, among other things, the processing purposes associated with the authorisation of a particular vendor, or which adtech vendors would process their data for a specific purpose, to be identified in a simple and clear manner. The large number of third parties that would potentially receive and process users’ personal data was not found to be compatible with the condition of a sufficiently informed consent, nor with the broader transparency duty set out in the GDPR.

Other violations

The Belgian DPA also found that the TCF violated a raft of other GDPR provisions, including that:

• the TCF did not comply with the rules in relation to accountability (article 24), data protection by design and by default (article 25), integrity and confidentiality (article 5.1.(f)), as well as security of processing (article 32). In particular, the theoretical possibility for CMPs to produce "false consent" as well as the lack of auditing and enforcement in case of such practices was considered problematic;
• the absence of a proper record of processing activities held by IAB Europe covering at least the TCF constituted a violation of article 30;
• similarly, the absence of a data protection impact assessment for the TCF violated article 35; and
• lastly, the non-designation of a data protection officer violated article 37.

What next?

The €250,000 fine imposed by the Belgian DPA is well below the EUR 20,000,000 or 4% of global turnover that IAB Europe could theoretically have been fined.

However, IAB Europe was given just two months to submit an action plan to render the TCF compliant with the GDPR’s lawfulness, fairness and transparency, integrity and security requirements, and to prepare a record of processing activities, carry out a data protection impact assessment and designate a data protection officer. Once the DPA validates the plan, IAB Europe will have six months to implement it. A failure to meet these deadlines would result in a €5,000 daily penalty.

But the Belgian DPA itself has queried whether a solution can actually be found, noting that “[i]t is uncertain whether, in view of its current architecture and support of the OpenRTB protocol, the TCF can be reconciled with the GDPR”.

IAB Europe plans to appeal against the Belgian DPA’s decision in the meantime.

This article was first published in Global Data Review, available here.