February.09.2022
On 2 February 2022 the Belgian Data Protection Authority ("Belgian DPA") ruled that IAB Europe's Transparency and Consent Framework ("TCF") does not comply with the GDPR and fined IAB Europe €250,000. While the sanctions imposed by the Belgian DPA were limited to the processing of personal data in the TCF itself, the decision potentially has broader implications both for the real-time-bidding ("RTB") ecosystem as well as for intermediaries and providers of technical standards and frameworks involving the processing of personal data.
The TCF was developed by IAB Europe as a way of obtaining and managing consent for RTB conducted through the OpenRTB protocol. The OpenRTB system and the associated Advertising Common Object Model were created by IAB Technology Laboratories, Inc ("IAB Tech Lab") and Interactive Advertising Bureau, Inc ("IAB"). OpenRTB is one of the main protocols governing how data is collected and shared, and how adverts are served, alongside Google's "Authorized Buyers" framework.
The TCF is a separate set of policies, technical specifications, terms and conditions, created with the intention of providing transparent information to, and obtaining valid consent from, users with regard to the processing of their personal data in RTB.
Key players within the TCF are companies referred to as "Consent Management Platforms" ("CMPs"). A CMP takes the form of a pop-up that appears when a user first visits a site to collect the user's consent to the placement of cookies and other online trackers. The IAB’s CMP generates a character string referred to as the "TC String" (i.e. "Transparency and Consent String"). This is meant to capture the preferences of a site visitor or a party that makes advertising space available on their website (a "publisher") that has integrated the CMP, including consent to processing of personal data for marketing and other purposes, whether to share personal data with adtech vendors, and the exercise of the right to object. Vendors can then decipher the TC String to determine whether they have the necessary legal basis to process a user's personal data for the specified purposes.
When a user accesses a publisher's site, the CMP checks whether a TC String already exists for this user. If not (or the existing TC String is not up to date) the CMP will give the user an option to consent to the collection sharing of their personal data, generate a new TC String reflecting the user's choices and place a "euconsent-v2" cookie on the user's device (or updates the existing cookie).
A total of nine complaints were filed with the Belgian DPA in the course of 2019 in respect of alleged breaches by IAB Europe of various provisions of the GDPR. The complaints related to principles of legality, appropriateness, transparency, purpose limitation, storage restriction and security, as well as to accountability. Five of these were filed with supervisory authorities in other EU countries.
The Belgian DPA concluded that:
In addition to imposing a €250,000 fine, IAB Europe also was ordered to work with the Belgian DPA to:
The collection and dissemination of TC Strings was designed to facilitate processing of personal data through the OpenRTB protocol and compliance with the requirements of the ePrivacy Directive and the GDPR. The decision that the processing of TC Strings is unlawful and the obligation to delete any data collected by means of a TC String inevitably undermines the lawfulness of processing of personal data in the broader context of the OpenRTB system.
In addition, the criticism of the TCF framework by the Belgian DPA are likely to be relevant for the RTB ecosystem as a whole.
The Belgian DPA reiterated that legitimate interests of participating organisations cannot be deemed an adequate legal ground for the processing activities occurring under the OpenRTB. In line with the EPDB's assessment[1], the same would apply to RTB in general.
With respect to consent, the Belgian DPA's view is that the TCF does not, in its current format, obtain valid consent under the GDPR for processing in the context of OpenRTB on the basis that:
While most of the above can, potentially, be remediated, one of the criticisms of the consent mechanism implemented through the TCF is that the list of recipients is so long that users would need a disproportionate amount of time to read this information, which means that their consent can rarely be sufficiently informed. Given the number of organisations involved in RTB in general, this point will apply to any consent mechanism for processing in the RTB ecosystem, not just TCF.
In its response to the Belgian DPA's decision, IAB stated that "it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct." This process has essentially been accelerated now that a specific deadline has been set by the Belgian DPA for updating the TCF to address the Belgian DPA's concerns. The IAB Europe has published an FAQ relating to the decision, here.
There is therefore scope for optimism that, at the end of this process, users of OpenRTB might have a privacy framework for RTB approved by an EU regulator that has, traditionally, taken a relatively conservative approach in interpreting the GDPR.
In the meantime, as complaints and individual claims become more frequent across Europe and the UK, ongoing use of TCF and RTB comes with a heightened risk of enforcement action and compensation claims.
The decision once again highlights the broad approach taken by data protection authorities to the concepts of "personal data" and "controller", thus reinforcing the risk that:
There is a temptation to argue that the implementation of a data processing "rulebook" for users of a platform falls outside the scope of data controllership, either because the platform provider has no access to the data being processed or because its processing operations are limited to facilitating technical integrations to give effect to the processing "rulebook" binding participating users. IAB Europe is certainly not alone in grappling with this issue, it just happens to do so in an area that is receiving increasing attention from regulators and individuals given the growing awareness of data processing practices within RTB.
Organisations that perform a similar intermediary role, such as data collection and sharing platforms or technical integration service providers acting as "pass-throughs" for data, may need to assess the level of contractual and practical control they have over the purposes for which data are processed by their customers. A relaxation of control would also need to be balanced against the regulatory and contractual risk exposure faced by such intermediaries as a result of customers' use of data, particularly where such customers are located and process data outside of the EEA and UK.
Note also that contractual risk mitigation strategies may also not be sufficient to excuse data intermediaries' responsibilities. In fact, the Inspection Service's submissions to the Belgian DPA's litigation chamber flagged exclusions of liability and disclaimers of warranties as aggravating factors that showed IAB Europe's failure to carry out its responsibilities as a data controller, which should have included verification of the degree of data protection compliance by participating publishers and CMPs and did not meet the requirements of Articles 24 and 25 of the GDPR.
[1] “Article 29 Working Party, Opinion 03/2013 on purpose limitation, p46: "consent should be required, for example, for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research."