Belgian DPA approves action plan...
Belgian DPA approves action plan for IAB...

Belgian DPA approves action plan for IAB Europe’s TCF

IAB Europe’s Transparency and Consent Framework (TCF) was found to be in violation of GDPR in 2022. The Belgian DPA has now approved an action plan to bring the framework in line with the law

Alex Cash Director of Strategy, Consent & Preferences | CIPP/E, CIPM

clock7 Min Read

Featured Image

On February 2, 2022, the Belgian DPA issued its decision in the case brought against IAB Europe and its Transparency and Consent Framework (TCF). The case centered around a number of complaints made to the Belgian DPA in 2019 relating to the role that the IAB TCF plays in the OpenRTB system and its use of ‘TC Strings’ to capture data subjects’ consent preferences. Just under 12 months later, the Belgian DPA approved an action plan to bring the processing of personal data within the IAB TCF into compliance with the GDPR. IAB Europe will have six months to implement the plan.

The Belgian DPA issued its draft decision in November 2021, which at the time gave the relevant supervisory authorities four weeks to provide feedback under the one-stop-shop mechanism. In its decision, the Belgian DPA highlighted that the draft decision received ‘serious scrutiny’, and two objections were incorporated into its final decision. The Belgian DPA subsequently found that IAB Europe and the TCF did not comply with many of the provisions of the GDPR and issued a monetary penalty of €250,000 as well as giving IAB Europe two months to present a corrective action plan.

This action plan was approved on January 11, 2023, and while the DPA will not release information on the content of the action plan, IAB Europe will have six months to implement the changes which are likely to include setting stronger data protection-related requirements for CMP user interfaces.

What is the IAB Europe TCF case?

In 2019, 22 complaints were made to the Belgian DPA relating to the IAB TCF and whether it violates the GDPR which resulted in the Belgian DPA launching an investigation.

In 2020, it was concluded that the IAB TCF was in breach of the GDPR due to the framework allowing organizations to swap personal information about data subjects without prior authorization as well as the IAB TCF not providing adequate controls for the processing personal data in the OpenRTB system.

13 months later, the Belgian DPA notified IAB Europe that it was close to finalizing a draft ruling in the case, specifically in relation to the use of ‘TC Strings’ for sharing consent preferences within the framework. The Belgian DPA’s draft findings were subsequently disseminated to the relevant supervisory authorities in Europe pursuant to Article 60 of the GDPR for their feedback. The concerned authorities had four weeks to provide their feedback which was incorporated in the final decision issued by the Belgian DPA.

In January 2023, an action plan was approved by the Belgian DPA giving IAB Europe six months to update the framework.

What were the findings of the Belgian DPA in the IAB Europe case?

In its final decision, the Belgian DPA stated that it found IAB Europe to be acting as a data controller in relation to processing data subjects’ consent preferences through ‘TC Strings’. As a result, IAB Europe can be held responsible for infringements of the GDPR’s provisions. In particular, the Belgian DPA noted that it had found IAB Europe to be in breach of the following violations:

  • Failure to establish a lawful basis for processing personal information
  • Failure to adequately inform data subjects of the nature and scope of the processing given the complexity of the TCF
  • A lack of technical and organizational measures in line with the Privacy by Design/Default principle
  • Failure to keep a record of processing activities
  • Failure to appoint a Data Protection Officer (DPO)
  • Failure to conduct a Data Protection Impact Assessment (DPIA)

The Belgian DPA also included in its findings that IAB Europe as well as consent management platforms (CMPs), publishers, and participating AdTech vendors should be regarded as joint data controllers for the purposes of collecting and processing the consent preferences of the data subject.

“The processing of personal data (e.g. capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness. People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads. Although it concerns the TCF, and not the whole real time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.” – Hielke Hijmans, Chairman of the Litigation Chamber of the Belgian DPA

What was IAB Europe’s response?

On February 2, 2022, IAB Europe issued its own statement in response to the Belgian DPA’s findings. The statement acknowledged the decision issued by the Belgian DPA; however, it rejected the finding that it acts as a data controller in the context of the TCF. At the time, IAB Europe stated it was exploring its legal options to challenge the findings.

On January 11, 2023, IAB Europe responded to the Belgian DPA’s approval of the remediation action plan. Within its response, IAB stated its reservations about the DPA pre-empting the CJEU’s response in relation to an appeal that is still awaiting a preliminary ruling. These include the assumption that TC Strings are considered personal data and that IAB is considered a joint controller of processing activities performed by TCF participants. IAB states that its reservations stem from a position of sustainable development and not “initiat[ing] changes to the TCF that might need to be rolled back at the end of the appeal process.”

What does the Belgian DPA ruling mean for publishers using TCF, including OneTrust customers?

This ruling came amidst several regulatory and industry shifts impacting the AdTech ecosystem. More publishers, marketers, and industry thought leaders are questioning how they can offer consumers personalization while maintaining user privacy.

The Belgian DPA’s decision identified underlying compliance issues with real-time bidding, and as a result, the industry will need to come together to update existing or create new standards or frameworks that build trusted relationships between publishers, advertisers, and consumers. First-party data and cookie-blocking solutions are likely to become increasingly important moving forward.

IAB Europe has since presented an action plan to the DPA which has been approved. Although currently there are few public details on the changes that publishers will need to make to their web properties to align with the new framework, IAB Europe will have six months to implement the changes to the framework.

Website operators using TCF will also need to publish updates to their CMP within the next six months, in order to adopt the changes required by the action plan.

What’s next in the IAB Europe case?

As an immediate result of the decision, the Belgian DPA issued a €250,000 administrative fine to IAB Europe in light of its findings as well as noting that the TCF may lead to a loss of control of large quantities of personal information.

The longer-term impact of the decision rests on the Belgian DPA’s approval of IAB Europe’s action plan. IAB Europe has six months to implement the changes approved by the DPA bringing the TCF into compliance with the GDPR.

Without further details of the action plan, it is difficult to say what the TCF will look like once remedied, however, the Belgian DPA outlined a set of corrective actions that IAB Europe should seek to include in their action, which will likely feature in the approved remediation. These include establishing a valid legal basis for processing and sharing personal information; prohibiting organizations that participate in the TCF to rely on legitimate interest as a legal basis for processing; and establishing procedures to vet organizations that participate in the TCF to ensure they comply with the GDPR’s requirements as well as setting stronger data protection-related requirements for CMP user interfaces.

The Belgian DPA has stated that it will not communicate the content of the action plan at this time due to the proceedings pending before the courts and tribunals. Therefore, publishers will have to watch this space carefully over the next six months for updates relating to the TCF and the actions they will need to take as a result.


Further resources on the IAB Europe case:

You Might Also Be Interested In

JANUARY 25, 2023

Your guide to celebrating Data Privacy Day 2023

JANUARY 17, 2023

Speak-up culture toolkit: Leveraging disclosure data to drive a speak-up culture

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

Onetrust All Rights Reserved