IAB Europe has been fined €250,000 (£208,300) by the Belgian Data Protection Authority after its Transparency and Consent Framework, which is the mechanism used by 80 per cent of the European internet to seek consent for tracking personal data for online advertising targeting, was ruled non-compliant with the GDPR. The decision was taken by 28 EU data protection authorities, led by the Belgian Data Protection Authority, as the leading supervisory authority in the GDPR’s one-stop-mechanism. The decision is immediately binding and enforceable across the European Union.
The regulators found that IAB Europe commits multiple violations of the GDPR in its processing of personal data in the context of the TCF and the real-time bidding system OpenRTB. The ruling said it fails to ensure personal data are kept secure and confidential. It fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by online advertising tracking. And that it fails to provide transparency about what will happen to people’s data.
It also found that IAB Europe had failed to honour its data protection obligations to maintain records of data processing; to conduct a data protection impact assessment; and to appoint a Data Protection Officer. The Belgian Data Protection Authority described IAB Europe as “negligent”.
In addition to the fine, IAB Europe has been ordered to delete all TC (Transparency Consent) Strings and other personal data already processed in the TCF from all its IT systems. In its report on the verdict, the Irish Council for Civil Liberties stated that this decision would also apply to the more than 1,000 companies that pay IAB Europe to use the TCF, including Google’s, Amazon’s and Microsoft’s online advertising businesses.
The regulators have given IAB Europe two months to submit an action plan to achieve compliance to the Belgian Data Protection Authority, and six months to implement it.
In response, IAB Europe has issued the following statement:
"IAB Europe acknowledges the decision announced today by the Belgian Data Protection Authority (APD) in connection with its investigation of IAB Europe. We note that the decision contains no prohibition of the Transparency & Consent Framework (TCF), as had been requested by the complainants, and that the APD considers the purported infringements by IAB Europe that it has identified to be susceptible of being remedied in six months.
"We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.
"Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market. As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin."