IAB Europe’s Transparency & Consent Framework, a key pillar of how online advertising is conducted on the Continent, is in breach of laws protecting people’s data privacy, a key European regulator has ruled.
The Belgian data protection authority, the APD-GBA, ruled on 16 October that the TCF, a set of best-practice guidelines for collecting and processing data for ad targeting, is in breach of the General Data Protection Regulation.
The APD-GBA is the lead enforcer on internet privacy for the European Union, so its findings will be seen as significant. Each member state has a national data protection authority, as does the UK, which had chosen to adopt the GDPR into UK law after Brexit. But Belgium is the “lead supervisory authority” under the GDPR “one-stop-shop” mechanism.
Critics have blamed the TCF, released in March 2018 on the eve of GDPR being enacted, for being inadequate in ensuring user consent in the way programmatic ads are served via real-time bidding.
Last year, IAB Europe launched a new version of the TCF, which it said would provide more transparency and control for publishers over how and why data was being collected by users for advertising purposes.
Following complaints made in 2018 by a range of privacy campaigners and academics, the Belgian regulator reported preliminary findings that the IAB framework allows advertisers to swap sensitive information about people even when they have not been authorised to do so.
“IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects,” the report said.
The IAB Framework, the regulator added, fails to provide adequate controls for the processing of intimate personal data that occurs in real-time bidding, the auction-based system in which online ads are bought and sold within nanoseconds and served to internet users based on data held about them.
It added: “The TCF does not provide adequate rules for the processing of special categories of personal data. However, the OpenRTB standard, framed by IAB Europe’s TCF, does allow the processing of special categories of personal data."
The APD-GBA Inspectorate Service has forwarded its findings to the APD-GBA Litigation Chamber, which will hear evidence from the complainants and the IAB. If there is enforcement action, this is expected to take place early next year.
Dr Johnny Ryan, senior fellow at the Irish Council for Civil Liberties and one of the complainants, told Campaign: “The IAB Framework is used by Google and others to paint a thin legal veneer over the vast data breach at the heart of the behavioural advertising system. Now, the APD-GBA is peeling this veneer off.”
Ryan, who made the complaint while working for Brave, the tracking-blocking internet browser, has consistently argued that it is impossible to ask for GDPR-compliant consent for real-time bidding, because the process leaks what people are reading, listening to and watching to an unknown number of companies.
The ICO appeared to agree, having launched an investigation into RTB and warning that a world of “perverse incentives” had been created in which being intrusive was being rewarded with better prices for online advertising.
However, the ICO paused the probe last May because it did not want to put the online advertising industry under “undue pressure” amid the economic impact of the coronavirus pandemic.
In a statement reacting to the APD-GBA report, IAB Europe said it disagreed with the authority’s interpretation of the law and that the TCF was written after consulting regulators across the Continent.
It said: “We find it regrettable that a standard whose requirements reflect an interpretation of the law that errs on the side of consumer protection and aligns with multiple DPA guidance materials across the EU (CNIL, DPC, ICO, etc), should be the focus of an enforcement action, rather than an opportunity for a constructive, good-faith dialogue on how the TCF can be improved in ways that better align with the APD’s vision and with consumer and industry needs.
“Over the past three years we have had the chance to present the TCF to a number of European DPAs, whose feedback we reflected in important changes in the V2 of the Framework, rolled out earlier this year. We will be fully engaging with the APD over the coming months as its services conduct evaluations on the merits of the report. We will also continue to work with regulators and seek their guidance on how the TCF can promote compliance with both the GDPR and the ePrivacy Directive.”