On November 25, 2021, the Belgian Data Protection Authority (DPA)  issued a press release concerning its draft decision in the case against Interactive Advertising Bureau Europe (IAB Europe) relating to their Transparency & Consent Framework (TCF). The DPA noted that its draft decision has now been sent to the concerned supervisory authorities pursuant to Article 60 of the GDPR for their feedback. The concerned supervisory authorities will have four weeks to respond.

Background to the Belgian DPA’s Draft Decision in the IAB Europe Case

In 2019, a series of complaints were filed with the Belgian DPA relating to the IAB TCF and whether it conforms with the GDPR. Subsequently, the Belgian DPA launched an investigation into IAB TCF.

In October 2020, statements on the findings of the Belgian DPA’s investigation were released by the Irish Council for Civil Liberties, which revealed that IAB TCF is in breach of the GDPR. According to the statements, the Belgian DPA concluded that the IAB TCF allowed companies to swap sensitive information about people without authorization. It was also stated that IAB TCF did not provide adequate controls for processing personal data that occurs in its OpenRTB system.

In November 2021, IAB Europe was notified that the Belgian DPA was close to finalizing its draft ruling, concluding the investigation of IAB Europe and its role in the TCF. In a press release, IAB Europe said that it had been informed that the draft ruling will identify infringements of the GDPR by IAB Europe, specifically relating to the use of TCF ‘TC Strings’, the digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content, and measurement.

What’s Next for the IAB TCF Case?

The Belgian DPA has now finalized its draft decision in the IAB Europe case and has notified the relevant supervisory authorities of the decision. The concerned authorities now have four weeks to respond with feedback to the draft decision.

The Belgian DPA has outlined two possible scenarios for the future of the draft decision:

• No relevant or reasoned objection to the draft decision is made therefore the decision can be finalized by the Belgian DPA; or
• One or more of the authorities involved expresses a relevant and reasoned objection to the draft decision., Subsequently the Belgian DPA will either:
  • Submit a revised draft to the concerned authorities, taking this objection into account, or
  • The objection will not be considered reasoned or relevant and could therefore initiate the dispute resolution mechanism under Article 65 of the GDPR.

The Belgian DPA highlighted that it is unable able to comment further due to the confidential nature of the cooperation mechanism. Following the conclusion of the cooperation procedure, the final decision will be adopted by the Belgian DPA.