15/02/22

Belgian DPA holds that IAB’s consent framework infringes GDPR

In a decision of 2 February 2022, the Belgian Data Protection Authority (the “BDPA”) considers that the Transparency and Consent Framework (“TCF”) of IAB Europe infringes the GDPR. This decision is of particular relevance to the whole online advertisement industry, as it does not only specifically target the TCF, which is relied on by many organisations for their online advertising practices, but also takes a stand on the lawfulness of processing in the context of Real-Time Bidding (“RTB”). The decision furthermore has an important EU-wide impact as the BDPA acted as lead supervisory authority and cooperated with the supervisory authorities of the other EU Member States before finalising its decision.

Background

RTB is a system of automated online advertising space allocation. In the online world, advertising space (i.e. a space on a page of a website or application) is often sold through an automated auction at the time a user consults a website. Through this auction, companies representing advertisers can instantly bid for advertising space to display targeted advertising specifically tailored to the user’s profile.

The TCF is a cross-industry ‘best practice’ standard developed by IAB Europe (a European business association for the digital marketing and advertising industry) that aims to facilitate the digital industry’s compliance with EU data protection laws.

Several parties are involved in the use of the TCF as part of RTB:

  • Publishers - parties who make advertising space available on their website or in their application and who are in direct contact with users whose personal data are collected and processed;
  • AdTech vendors - companies that receive data from a publisher and are entrusted with the task to fill advertising space on the publisher’s website; and
  • Consent Management Platforms (“CMPs”) - IT providers that offer software to collect a user’s consent and preferences (g. cookie pop-ups). 

According to IAB Europe, the primary aim of the TCF is to provide accountability and transparency. It sets out guidelines and procedures for informing Internet users on the processing of their data for purposes linked to advertising and for registering such consent or consent preferences. 

Following several complaints against IAB Europe, filed both with the BDPA and with other supervisory authorities, the BDPA investigated the TCF and related practices, which resulted in the decision of 2 February 2022 (link).

Decision of the Belgian DPA

Following its investigation, the BDPA concludes that IAB Europe infringes the GDPR as:

  • The TCF does not provide a lawful legal basis for processing (i) consent and consent preferences information (collected for the purpose of accountability), and (ii) personal data for the purpose of behavioural marketing – legitimate interests were rejected as legal basis for both (i) and (ii), and a valid opt-in consent is needed;
  • The TCF does not provide transparent information on the purposes of the processing and the recipients of personal data (data subjects are not able to identify the scope and consequences of the data processing and to give their informed consent thereto);
  • It did not implement sufficient technical and organisational measures to safeguard the integrity of the processed personal data;
  • It did not have a record of processing activities for its own data processing activities;
  • It had not carried out a Data Processing Impact Assessment, which the BDPA deemed necessary as the TCF was developed for RTB, which is used to systematically and automatically monitor, record and influence user behaviour, including for advertising purposes; and
  • It had not appointed a DPO, which the BDPA deemed necessary having regarded the large scale of data processing effected through the TCF.

Consequently, the BDPA:

  • Orders IAB Europe to make the TCF “GDPR compliant”, which entails:
    • establishing an appropriate legal basis for collecting and sharing user preferences, which also means that (i) data already (unlawfully) collected and generated on the basis of the TCF must be deleted; and (ii) IAB Europe must prohibit the organisations taking part in the TCF from processing data on the basis of legitimate interests (only a valid opt-in consent is the proper legal basis);
    • obliging CMPs to provide clear and transparent information through their interfaces;
    • enhancing the security and integrity of the TCF;
    • guaranteeing that data subjects can effectively exercise their data subject rights;
    • appointing a DPO;
    • maintaining a record of data processing activities;
    • carrying out a data processing impact assessment; and
    • IAB Europe has to draft an implementation plan within 2 months as from the decision, which, after approval of the BDPA, needs to be rolled out within 6 months.
  • Imposes a fine of EUR 250,000 on IAB Europe.

Impact of this decision

The decision on the BDPA is expected to have a major impact on the AdTech and RTB industry (and beyond). Some key take-aways are set out below. 

1. Responsibility of the actors involved – broad interpretation of notions of “personal data” and “joint controllership”

IAB Europe argued that it did not act as data controller for the collection of website visitors’ consents and preferences through the TCF, but the BDPA rejected this argument. It found that IAB Europe acted as a controller for such data processing given (i) the broad interpretation of the concept of data controller by the CJEU and the EDPB, and (ii) the fact that IAB Europe had a decisive influence on the purpose and means of the processing through the establishment of compulsory TCF parameters. The BDPA also confirmed that whether IAB Europe itself comes into contact with the personal data collected through the TCF is irrelevant to its qualification as data controller. 

Additionally, the BDPA looked into the responsibilities of all other actors involved in the TCF process for RTB. It held that IAB Europe, publishers, CMPs and AdTech vendors are jointly responsible for the processing of users’ preferences and consent under the TCF, the dissemination of such information and the data processing based thereon. Such a finding will likely have far-reaching implications for all actors involved in the online advertising chain, as they can be held responsible by a supervisory authority for infringements of the GDPR in the context of their participation to the TCF. This finding of joint controllership is in line with the overall tendency of supervisory authorities and courts to give a very (overly?) broad interpretation to the notion of joint controllership. 

Also the notion of personal data is – again – interpreted broadly, with the BDPA confirming that individuals are ‘identifiable’ within the meaning of the GDPR where the controller or another party has at their disposal the means by which the data subject may reasonably be expected to be identified, in particular where the purpose of the processing is the singling out of persons (for advertising or other purposes).

2. Legal basis – legitimate interests assessment

The BDPA distinguished between (i) data processing for capturing the consent, objections and preferences of website visitors, and (ii) collecting and disseminating personal data for the purposes of RTB. 

It found that, for capturing cookie consent and cookie preferences, IAB Europe and the other actors involved could not rely on their legitimate interest (i.e. the interest to remember cookie preferences of users to comply with their accountability obligations). While the purpose of the processing was legitimate and the processing was necessary, the BDPA found that – in this specific case – the rights and freedoms of data subjects still outweighed those of the data controllers. This does however not imply that article 6.1(f) GDPR can never be used for a cookie registering cookie consent/refusal or cookie preferences (and the processing of data connected thereto). The BDPA has already accepted that this can be an essential cookie not requiring consent. However, in the specific case of IAB Europe, the conditions of article 6.1(f) GDPR were not deemed to be met. 

For the collection and dissemination of personal data in the context of RTB, the BDPA held that the consent obtained through the TCF was insufficiently free, specific, informed and unambiguous as:

  • The purposes were not sufficiently clear;
  • There was no overview of the categories of data processed;
  • The identity of the controllers was not clear; and
  • The identity of the recipients was not clear.

The key take-away here is that the BDPA held that, in view of the large number of recipients and the unpredictable reach of the enrichment of data, data subject consent will hardly ever be sufficiently informed in the context of RTB. The BDPA apparently considers that relying on consent for any type of complex online behavioural advertisement systems is very difficult, if not impossible.

3. Current reliance on TCF and processing for purposes of behavioural advertising 

As the BDPA held that the actors processing data in the context of the TCF are joint controllers for such processing activities, such actors can be held responsible (i) for further reliance on information unlawfully gathered under the TCF, and (ii) for any further reliance on data protection practices maintained under the current TCF. Consequently, organisations need to map whether they (or their service providers) are relying on the TCF for their online advertising and re-assess whether their legal bases and information notices would withstand a possible test in the context of the BDPA’s decision. In principle, any information based on the TCF, which is found to be unlawful, must also be promptly deleted. 

Moreover, as the BDPA’s decision also more generally touches upon the lawfulness of processing personal data for behavioural advertising practices and RTB, organisations involved in such activities should carefully review the legal bases they rely on and make sure that clear and unambiguous information is given to their website visitors in order to make sure that they obtain valid (informed and specific) consent.

What’s next?

The BDPA has granted IAB Europe a remediation period and IAB Europe has stated that it will draft an action plan to ensure the continuation of the TCF in a GDPR compliant manner. 

In the meantime, organisations relying on the TCF are advised to carefully assess the implications of the BDPA’s decision, as (i) the BDPA has implicitly held that it deems it very difficult, if not impossible, to make sure that data processing for RTB purposes (for which they are qualified as joint controllers) complies with the GDPR, and (ii) the Dutch supervisory authority has recently stated in an interview that websites and other organisations relying on IAB Europe’s TCF have to stop immediately with processing personal data on the basis thereof, without awaiting the outcome of the remediation plan (this position has however not yet been confirmed in an official statement).

Finally, IAB Europe has publicly stated that it will appeal the decision of the BDPA. When appealing, it can also request the suspension of the enforcement of the BDPA’s decision.

We remain of course available to assist with any further question you may have on this topic.

dotted_texture