There was an unexpected error authorizing you. Please try again.
arrow-downarrow-leftarrow-rightarrow-upbiocircleclosedownloadfacebookgplus instagram linkedinmailmenuphoneplaysearchsharespinnertwitteryoutube
Home

IAB Responds to Belgian DPA Ruling

EU-US Data Flows at Risk

This publication is intended for U.S. audiences and is not for those in the European Economic Area or the United Kingdom.

What Happened?

On February 2, 2022, the Belgian data protection authority (the “APD”) released a decision following its investigation of IAB Europe’s administration of the Transparency and Consent Framework (“TCF”).  The TCF is a set of technical standards and policies designed to help all parties in the digital advertising chain comply with the EU’S GDPR and ePrivacy Directive when processing personal data (or other information stored on a user’s device, such as cookies). The TCF works by encoding and signaling users’ privacy preferences in transparency and consent strings (“TC Strings”).

The APD’s decision asserts that for GDPR purposes, TC Strings are personal data and that IAB Europe is a co-controller of TC Strings (along with other entities that process TC Strings). Further, the decision orders IAB Europe to take certain steps to bring its processing of any personal data in TC Strings into compliance with the GDPR.

The IAB joins IAB Europe in disagreeing with this conclusion.

What does the APD’s decision order the IAB Europe to do?

The APD’s decision orders IAB Europe to take the following actions:

  • Establish its own legal basis for processing TC Strings insofar as it is a controller of personal data in connection with TC Strings.
  • Delete TC Strings with globally-scoped consents from servers IAB Europe controls (the current version of the TCF no longer supports globally-scoped consents, in any case).
  • Make updates to the TCF, including:
    • Improving the technical and organizational measures used to ensure the integrity of TC Strings.
    • Implementing audit procedures for TCF participants to evaluate their GDPR compliance.
    • Removing legitimate interest as an available legal basis under the TCF.
    • Setting new standards for and increasing the uniformity of the user interfaces presented by participating consent management platforms (CMPs).
  • Take procedural steps the GDPR requires of controllers of personal data, including updating records of processing activities, carrying out a data protection impact assessment, and appointing a Data Protection Officer.
  • Pay an administrative fine.

The order provides IAB Europe with two months to develop an action plan for complying with the decision that can then be executed within a six-month time frame. IAB Europe is not prohibited from operating the TCF during this interim period.

What is the scope of the remedial actions ordered by the APD?

IAB Europe was the subject of the APD’s investigation, and the GDPR compliance issues identified by the APD are focused on the IAB Europe’s role as the Managing Organization of the TCF. Accordingly, the orders issued in the APD’s decision are limited to the IAB Europe in its role as the TCF’s Managing Organization.

Further, the decision clearly distinguishes its findings regarding the IAB Europe’s role in managing the TCF and TC Strings from other processing of personal data that may occur through OpenRTB advertising transactions. The Chairman of the APD’s litigation chamber, Hielke Hijmans, also emphasized that the decision is limited to the TCF, “not the whole real time bidding system[.]”

Every controller of personal data under the GDPR is responsible for establishing its own legal basis for processing personal data, but the APD’s decision does not order specific actions regarding any entity other than IAB Europe. For example, the decision states explicitly that the IAB Tech Lab merely acts as a provider of the OpenRTB system and is not a data controller for any personal data processed through OpenRTB.

How is the IAB Europe responding to the decision?

IAB Europe released a statement rejecting the APD’s findings, and have published a “FAQ” document available for download here. Specifically, IAB Europe disagrees with the conclusion that it is a controller of any personal data in TC Strings as a consequence of its administration of the TCF. IAB Europe is currently appealing the ruling.

In parallel with its efforts to challenge the APD’s novel conclusion that IAB Europe is a “controller” of TC Strings, IAB Europe will convene its TCF working group and develop an action plan for responding to the APD’s orders concerning updates to the TCF itself.

The IAB and The IAB Tech Lab are actively supporting IAB Europe in responding to the APD’s decision and in meeting the challenges posed by it. IAB Tech Lab is working to assist IAB Europe with incorporating new products and technical standards that will meet the new market requirements.

About IAB

The Interactive Advertising Bureau empowers the media and marketing industries to thrive in the digital economy. Its membership comprises more than 700 leading media companies, brands, agencies, and the technology firms responsible for selling, delivering, and optimizing digital ad marketing campaigns. The trade group fields critical research on interactive advertising, while also educating brands, agencies, and the wider business community on the importance of digital marketing. In affiliation with the IAB Tech Lab, IAB develops technical standards and solutions. IAB is committed to professional development and elevating the knowledge, skills, expertise, and diversity of the workforce across the industry. Through the work of its public policy office in Washington, D.C., the trade association advocates for its members and promotes the value of the interactive advertising industry to legislators and policymakers. Founded in 1996, IAB is headquartered in New York City.

IAB Media Contacts
Kate Tumino / Brittany Tibaldi
212-896-1252 / 347-487-6794
[email protected]/ [email protected]