It appears that the national data protection authorities have awoken from their peaceful slumber in the past months. This time, the Belgian authority has claimed its first prominent victim in a while. It issued a decision against the IAB Europe’s Transparency and Consent Framework (TCF), a consent framework relied on by millions of websites to regulate users’ preferences for personalised ads.
The Transparency and Consent Framework
When an individual visits a website they are confronted with the infamous cookie banners due to legal requirements in the e-Privacy Directive. For websites that serve ads in the EU, the TCF is the most commonly used consent management solution allowing website owners to sell their ad space to bidders after the user indicated whether/how they may be tracked to serve personalised ads. The TCF shares this information (via the OpenRTB protocol) with organisations for the sale and serving of ads. Check out our blog article on Real Time Bidding if you want to know more about the complex mechanism behind the serving of online ads and why the mechanism is at odds with EU data protection legislation.
Investigation and determining the roles in the processing
The first important result of the authority’s decision was establishing that personal data is being processed by the TCF since individuals can be identified through the combination of
- The TCF’s TC String containing metadata but also the unique ad preferences which are shared with the adtech vendors, and
- the euconsent-v2 cookie set by the cookie management platform used by the website provider (which contains the individuals’ IP address).
The authority also emphasised that if the purpose of the processing is the singling out of persons, it may be assumed that the parties involved in the processing may/will have the means at their disposal to identify individuals.
The authority also took a deep dive into the Real Time Bidding process and came to the conclusion that it entails many risks to the rights and freedoms of the individuals whose personal data is being processed – to mention two: large scale processing of personal data, processing of special categories of personal data.
The Belgian authority further held that IAB Europe acts as the data controller in regard to the personal data processed through the TCF since it ‘has a decisive influence on the purpose […] and means […] of the processing by imposing compulsory TCF parameters’. Without the TCF the adtech vendors and publishers participating in the Real Time Bidding process would not be able to achieve the goals set by IAB Europe, regardless of IAB Europe accessing the processed personal data or not.
IAB Europe contested the authority’s view on their role in regard to the processing. Being considered a data controller entails more accountability and having to comply with obligations.
Are there Joint Controllers?
In regard to the publishers, consent management platforms and adtech vendors, the supervisory authority checked if they may be regarded as joint controllers. The answer depends on whether the intended data processing would be impossible without the participation of those parties – i.e. if the processing carried out by them are inseparable and indivisible. The authority held that TCF is an ecosystem that collects and exchanges individuals’ preferences not for its own purposes, but to facilitate further processing by the other parties. The other parties are therefore to be considered joint controllers. The scope of their and IAB Europe’s joint controllership is dependent on the exact implementation of TCF policies in each case and deviations thereof.
Joint controllers do not have to be equally responsible for the processing. The different joint controllers may come in at different stages and to different degrees. Joint participation in the definition of the means and purposes can come in the form of a common decision or as the result of different yet converging decisions. This requires a factual assessment of the circumstances rather than a legal one.
Alleged breaches of the GDPR
Since it was established that personal data is processed, a legal basis must be applied.
The Belgian authority came to the following conclusions for the registration of the individuals’ preferences and the collection and dissemination of personal data in the context of the Real Time Bidding mechanism:
- Consent and performance of a contract were not applicable
- Legitimate interest did not meet the required standard either since the balancing test between the interests of the controllers and the fundamental rights and freedoms of the individuals was not met. Guidance by the European Data Protection Board and ICO clearly states that legitimate interest cannot be used as the legal basis for behavioural advertising, including in the context of Real Time Bidding.
This means that Art. 6 is not complied with and the principle of lawfulness breached.
The authority ruled that the principle of transparency was violated since the information provided under the TCF was too generic. It held that especially the potential sharing of personal data with a large number of adtech vendors requires thorough information.
Accountability, data protection by design and by default, integrity and confidentiality, security of processing
The Belgian authority determined a lack of technical and organisational measures aiming to ensure the integrity of TCF. This was seen as a severe breach of the controller’s obligations considering the vast number of TC Strings being generated.
Not only is the factual implementation of TCF in breach of its own policies regarding technical and organisational measures, but adtech vendors are also allowed up to four breaches in regard to their own implementation of the TCF before they are forced into compliance.
In regard to data transfers to countries outside the EEA, the authority held that TCF does not foresee a mechanism to ensure that the participating parties have informed about or implemented adequate mechanisms for third country data transfers of the TC String. This is a violation of the obligations imposed under GDPR Arts. 24 (responsibility of the controller) and 25 (data protection by design and by default).
Additional alleged breaches
The Belgian authority also found a wide variety of GDPR violations of TCF surrounding the following topics:
- Purpose limitation and data minimisation
- Storage limitation
- Integrity and confidentiality
- Processing of special categories of personal data
- Exercise of data subject rights
- Records of processing activities
- Data protection impact assessment
- Designation of a data protection officer
The Belgian authority imposed a fine of 250.000€ and gave IAB Europe two months to present an action plan for achieving compliance. Once the action plan is presented IAB Europe has six months to implement it.
IAB Europe has until 4 March 2022 to appeal the decision before the Belgian Market Court. The company announced that it is assessing whether it should legally challenge the decision.
Implications for EU businesses
This decision by the Belgian data protection authority revealed that IAB Europe’s widely spread Transparency and Consent Framework is infringing on a multitude of requirements established in EU data protection legislation. This ruling does not come as a surprise to most privacy professionals. As laid out in our blog post on Real Time Bidding there are initiatives in the industry to rectify these flaws, although a GDPR compliant solution seems to be contrary to the current fundamentals of the adtech industry.