The BE DPA to restore order to the online advertising industry: IAB Europe held responsible for a mechanism that infringes the GDPR
The Belgian DPA has found that the Transparency and Consent Framework (TCF), developed by IAB Europe, fails to comply with a number of provisions of the GDPR. The TCF is a widespread mechanism that facilitates the management of users’ preferences for online personalised advertising, and that plays a pivotal role in the so called Real Time Bidding (RTB). The BE DPA imposed a €250.000 fine to the company, and gives IAB Europe two months to present an action plan to bring its activities into compliance.
Context of the case
Since 2019, the Belgian DPA received a series of complaints targeting Interactive Advertising Bureau Europe (IAB Europe). The complaints challenged the conformity of the so-called Transparency & Consent Framework (TCF) with the GDPR.
The TCF, developed by IAB Europe, aims to contribute to the compliance with the GDPR of organisations relying on the OpenRTB protocol.
The OpenRTB protocol is one of the most widely used protocols for “Real-Time Bidding”, i.e. the instantaneous automated online auction of users’ profiles for the sale and purchase of advertising space on the internet. When users access a website or application that contains an advertising space, technology companies representing thousands of advertisers can instantly (‘in real time’) bid behind the scenes for that advertising space through an automated auction system using algorithms, in order to display targeted advertising specifically tailored to that individual's profile.
When users visit a website or application for the first time, an interface (a Consent Management platform or CMP) will pop up where they may consent to the collection and sharing of their personal data, or object to various types of processing based on the legitimate interests of ad tech vendors. This is where the TCF comes in : it facilitates the capture, through the CMP, of the users’ preferences. These preferences are then coded and stored in a “TC string”, which will be shared with the organisations participating in the OpenRTB system so that they know to what the user has consented/objected. The CMP also places a cookie (euconsent-v2) on the user’s device. When combined, the TC string and the euconsent-v2 cookie can be linked to the IP address of the user, therefore making the author of the preferences identifiable. The TCF plays a pivotal role in the architecture of the OpenRTB system, as it is the expression of users’ preferences regarding potential vendors and various processing purposes, including the offering of tailor-made advertisement.
Main findings : the TCF implies the processing of personal data
Contrary to IAB Europe’s claims, the Litigation Chamber of the BE DPA found that IAB Europe is acting as a data controller with respect to the registration of individual users’ consent signal, objections and preferences by means of a unique Transparency and Consent (TC) String, which is linked to an identifiable user. This means that IAB Europe can be held responsible for possible violations of the GDPR.
The BE DPA identified a series of GDPR infringements by IAB Europe :
- Lawfulness : IAB Europe failed to establish a legal basis for the processing of the TC String, and the legal grounds offered by the TCF for the subsequent processing by adtech vendors are inadequate;
- Transparency and information of the users : the information provided to users through the CMP interface is too generic and vague to allow users to understand the nature and scope of the processing, especially given the complexity of the TCF. Therefore it is difficult for users to maintain control over their personal data;
- Accountability, security and data protection by design/by default : In the absence of organisational and technical measures in accordance with the principle of data protection by design and by default, including to ensure the effective exercise of data subject rights as well as to monitor the validity and integrity of the users’ choices, the conformity of the TCF with the GDPR is not adequately warranted nor demonstrated;
- Other obligations pertaining to a controller processing personal data on a large-scale: IAB Europe has failed to keep a register of processing activities, to appoint a DPO and to conduct a “DPIA” (data protection impact assessment).
In view of these infringements, the Litigation Chamber of the BE DPA has decided to impose serious sanctions, particularly because the TCF may lead to a loss of control of their personal information by large groups of citizens. The Litigation Chamber therefore imposed an administrative fine of 250.000 EUR on IAB Europe. What’s more, it ordered the company to undertake a series of corrective measures aimed at bringing the current version of the TCF into compliance with the GDPR.
These measures include (among others) :
- the establishment of a valid legal basis for the processing and dissemination of users' preferences within the context of the TCF, as well as the prohibition of the use of legitimate interest as a basis for the processing of personal data by organisations participating in the TCF;
- the strict vetting of participating organisations in order to ensure that they meet the requirements of the GDPR.
The BE DPA gives IAB Europe two months to present an action plan to implement these corrective measures.
This decision can be appealed.
Hielke Hijmans, Chairman of the Litigation Chamber of the BE DPA : “The processing of personal data (e.g. capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness. People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads. Although it concerns the TCF, and not the whole real time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.”
The One-Stop-Shop Mechanism
The draft decision that the BE DPA had prepared was examined within the cooperation mechanism of the GDPR (the “one-stop-shop mechanism). After serious scrutiny, and two objections that the BE DPA incorporated in a new draft, the present decision was approved by all concerned authorities representing most of the thirty countries in the European Economic Area.
David Stevens, Chairman of the BE DPA : “Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one, which really concerns all European citizens that shop, work or play online. Online privacy and the fight against too intrusive forms of advertising is an important priority for us.”
Hielke Hijmans concludes : “I am proud to see the pivotal work that the Inspection Service and our Litigation Chamber has done in this case, in close collaboration with our European counterparts in the one stop shop mechanism. This example shows that the one-stop-shop mechanism can be effective.”
You can read the full decision here.