Feb 02, 2022, 22:30 pm
Belgium’s data watchdog found that the industry standard for managing user preferences in Europe violates several General Data Protection Regulation (GDPR) provisions, and it requested advertisers to delete the collected data.
The Belgian data protection authority issued a long-awaited decision on Wednesday (2 February) based on a series of complaints filed in 2019 against the Interactive Advertising Bureau Europe (IAB), the trade association for digital advertising.
The complaints related to the IAB Europe’s Transparency & Consent Framework (TCF), which advertisers use to capture user preferences. These preferences are shared in real-time auctions that occur in fractions of seconds to allocate advertising space.
“The processing of personal data (e.g. capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness,” said Hielke Hijmans, the chairman of the authority’s litigation chamber.
Through the framework, users are invited to express their preferences via a pop-up banner when visiting a website. The TCF stores that preference and makes it available to the organisations participating in the online auction.
“People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day to expose them to personalised ads,” Hijmans added.
User preferences are also stored on the device via a cookie, which, combined with the data stored by the TCF, links to the IP address, a unique code that can identify the user.
The Belgian authority deemed IAB Europe a data controller responsible for GDPR violations, a point the association contests arguing it merely supported the industry in developing a common standard.
“Controllership seems to have been broadened over to IAB exactly because they designed the system, not because they process data,” said Otto Lindholm, head of data and privacy at Dottir Attorneys.
“Now the providers will scratch their heads wondering how far they can take their expertise in recommending systems and solutions for their clients, without stepping over the fuzzy line of controllership,” Lindholm noted.
For Charles-Albert Helleputte, head of privacy practice at Steptoe, the decision “confirms a trend; supervisory authorities are working towards exploring broad extension of fundamental GDPR concepts.”
Helleputte argues that the reason, in this case, was opportunistic, as targeting the standard-setting organisation is likely more convenient than going against the entire ecosystem.
The Belgian authority found that IAB Europe did not have a legal basis for processing personal data, and the legal grounds for sharing that data with vendors was ‘inadequate’.
“The DPA has made explicit what many observers have been saying for some time: that ‘legitimate interests’ is not a valid legal basis for processing personal data obtained via non-essential cookies,” Robert Bateman, research director at the GRC World Forums, told EURACTIV.
Bateman noted that since users should not be asked to opt-out from non-essential cookies, “this could be the end of those long drop-down lists of vendors automatically toggled ‘on’ by default seen on many websites.”
The trade association also did not comply with the obligations of a data processor, such as keeping a registry or conducting impact assessments.
Moreover, the authority considered that users were not adequately informed about TCF’s functioning. They noted the system failed to keep data secure and confidential, violating the requirement for “data protection by design.”
“Today’s decision frees hundreds of millions of Europeans from nuisance and misleading consent requests. It should also protect them from illicit surveillance by tech firms,” said Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties (ICCL) and one of the architects behind the complaints.
ICCL estimates that the TCF accounts for 80% of Europe’s internet, including over 1,000 companies and significant advertisers such as Google, Amazon and Microsoft. As a consequence of the decision, all data collected via TCF will be deleted.
The Belgian data watchdog imposed on IAB Europe a €250,000 sanction and several corrective measures to ensure the TCF made compliant with the GDPR.
These remedies include the establishment of a legal basis and the vetting of participating organisations to ensure they are also compliant with EU privacy rules.
“This could have a big impact on the digital advertising landscape, but it remains to be seen how effectively the IAB can ensure TCF participants are GDPR-compliant,” Bateman added.
IAB Europe now has two months to present an action plan demonstrating how it will comply with the authority’s decision and six months to carry it out.
In a statement, IAB Europe committed to working with the Belgian authority in the coming months and welcomed that the decision did not prohibit the TCF altogether, as the complainants asked.
“We are considering all options with respect to a legal challenge,” the statement adds.
https://www.euractiv.com/section/digital...acy-rules/
The Belgian data protection authority issued a long-awaited decision on Wednesday (2 February) based on a series of complaints filed in 2019 against the Interactive Advertising Bureau Europe (IAB), the trade association for digital advertising.
The complaints related to the IAB Europe’s Transparency & Consent Framework (TCF), which advertisers use to capture user preferences. These preferences are shared in real-time auctions that occur in fractions of seconds to allocate advertising space.
“The processing of personal data (e.g. capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness,” said Hielke Hijmans, the chairman of the authority’s litigation chamber.
Through the framework, users are invited to express their preferences via a pop-up banner when visiting a website. The TCF stores that preference and makes it available to the organisations participating in the online auction.
“People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day to expose them to personalised ads,” Hijmans added.
User preferences are also stored on the device via a cookie, which, combined with the data stored by the TCF, links to the IP address, a unique code that can identify the user.
The Belgian authority deemed IAB Europe a data controller responsible for GDPR violations, a point the association contests arguing it merely supported the industry in developing a common standard.
“Controllership seems to have been broadened over to IAB exactly because they designed the system, not because they process data,” said Otto Lindholm, head of data and privacy at Dottir Attorneys.
“Now the providers will scratch their heads wondering how far they can take their expertise in recommending systems and solutions for their clients, without stepping over the fuzzy line of controllership,” Lindholm noted.
For Charles-Albert Helleputte, head of privacy practice at Steptoe, the decision “confirms a trend; supervisory authorities are working towards exploring broad extension of fundamental GDPR concepts.”
Helleputte argues that the reason, in this case, was opportunistic, as targeting the standard-setting organisation is likely more convenient than going against the entire ecosystem.
The Belgian authority found that IAB Europe did not have a legal basis for processing personal data, and the legal grounds for sharing that data with vendors was ‘inadequate’.
“The DPA has made explicit what many observers have been saying for some time: that ‘legitimate interests’ is not a valid legal basis for processing personal data obtained via non-essential cookies,” Robert Bateman, research director at the GRC World Forums, told EURACTIV.
Bateman noted that since users should not be asked to opt-out from non-essential cookies, “this could be the end of those long drop-down lists of vendors automatically toggled ‘on’ by default seen on many websites.”
The trade association also did not comply with the obligations of a data processor, such as keeping a registry or conducting impact assessments.
Moreover, the authority considered that users were not adequately informed about TCF’s functioning. They noted the system failed to keep data secure and confidential, violating the requirement for “data protection by design.”
“Today’s decision frees hundreds of millions of Europeans from nuisance and misleading consent requests. It should also protect them from illicit surveillance by tech firms,” said Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties (ICCL) and one of the architects behind the complaints.
ICCL estimates that the TCF accounts for 80% of Europe’s internet, including over 1,000 companies and significant advertisers such as Google, Amazon and Microsoft. As a consequence of the decision, all data collected via TCF will be deleted.
The Belgian data watchdog imposed on IAB Europe a €250,000 sanction and several corrective measures to ensure the TCF made compliant with the GDPR.
These remedies include the establishment of a legal basis and the vetting of participating organisations to ensure they are also compliant with EU privacy rules.
“This could have a big impact on the digital advertising landscape, but it remains to be seen how effectively the IAB can ensure TCF participants are GDPR-compliant,” Bateman added.
IAB Europe now has two months to present an action plan demonstrating how it will comply with the authority’s decision and six months to carry it out.
In a statement, IAB Europe committed to working with the Belgian authority in the coming months and welcomed that the decision did not prohibit the TCF altogether, as the complainants asked.
“We are considering all options with respect to a legal challenge,” the statement adds.
https://www.euractiv.com/section/digital...acy-rules/