On March 15, 2023, the Belgian Data Protection Authority (DPA) voluntarily suspended the six-month implementation period of IAB Europe’s action plan. This means the deadline of July 11, 2023 for IAB Europe to implement the action plan no longer applies.
This action has taken place due to a second appeal to the Belgian Market Court from IAB Europe, requesting interim measures to be put in place around the implementation of the action plan, since the previous decision took place as points around data controllership and personal data under the GDPR were still being examined by the Court of Justice European Union (CJEU).
The Belgian Market Court’s ruling on this second appeal is expected at the end of Q2 or the beginning of Q3 2023. If it then upholds the Belgian DPA’s validation decision of January 2023, the implementation period of six months will resume at that time. This would postpone the deadline for implementation to Q4 2023 instead of July 11, 2023.
On February 2, 2022, the Belgian DPA issued its decision in the case brought against IAB Europe and its Transparency and Consent Framework (TCF). The case centered around a number of complaints made to the Belgian DPA in 2019 relating to the role that the IAB TCF plays in the OpenRTB system and its use of ‘TC Strings’ to capture data subjects’ consent preferences. Just under 12 months later, the Belgian DPA approved an action plan to bring the processing of personal data within the IAB TCF into compliance with the GDPR. IAB Europe’s implementation timeline is still under discussion.
The Belgian DPA issued its draft decision in November 2021, which at the time gave the relevant supervisory authorities four weeks to provide feedback under the one-stop-shop mechanism. In its decision, the Belgian DPA highlighted that the draft decision received ‘serious scrutiny’, and two objections were incorporated into its final decision. The Belgian DPA subsequently found that IAB Europe and the TCF did not comply with many of the provisions of the GDPR and issued a monetary penalty of €250,000 as well as giving IAB Europe two months to present a corrective action plan.
This action plan was approved on January 11, 2023, and while the DPA will not release information on the content of the action plan, IAB Europe will have to implement the changes which are likely to include setting stronger data protection-related requirements for CMP user interfaces. The implementation timeline has not yet been finalized.
In 2019, 22 complaints were made to the Belgian DPA relating to the IAB TCF and whether it violates the GDPR which resulted in the Belgian DPA launching an investigation.
In 2020, it was concluded that the IAB TCF was in breach of the GDPR due to the framework allowing organizations to swap personal information about data subjects without prior authorization as well as the IAB TCF not providing adequate controls for the processing personal data in the OpenRTB system.
Thirteen months later, the Belgian DPA notified IAB Europe that it was close to finalizing a draft ruling in the case, specifically in relation to the use of ‘TC Strings’ for sharing consent preferences within the framework. The Belgian DPA’s draft findings were subsequently disseminated to the relevant supervisory authorities in Europe pursuant to Article 60 of the GDPR for their feedback. The concerned authorities had four weeks to provide their feedback which was incorporated in the final decision issued by the Belgian DPA.
In January 2023, an action plan was approved by the Belgian DPA giving IAB Europe six months to update the framework. Just two months later, in March 2023, this six-month deadline was suspended, and the implementation timeline is currently under review.
In its final decision, the Belgian DPA stated that it found IAB Europe to be acting as a data controller in relation to processing data subjects’ consent preferences through ‘TC Strings’. As a result, IAB Europe can be held responsible for infringements of the GDPR’s provisions. In particular, the Belgian DPA noted that it had found IAB Europe to be in breach of the following violations:
The Belgian DPA also included in its findings that IAB Europe as well as consent management platforms (CMPs), publishers, and participating AdTech vendors should be regarded as joint data controllers for the purposes of collecting and processing the consent preferences of the data subject.
“The processing of personal data (e.g. capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness. People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads. Although it concerns the TCF, and not the whole real time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.”
— Hielke Hijmans, Chairman of the Litigation Chamber of the Belgian DPA
On February 2, 2022, IAB Europe issued its own statement in response to the Belgian DPA’s findings. The statement acknowledged the decision issued by the Belgian DPA; however, it rejected the finding that it acts as a data controller in the context of the TCF. At the time, IAB Europe stated it was exploring its legal options to challenge the findings.
On January 11, 2023, IAB Europe responded to the Belgian DPA’s approval of the remediation action plan. Within its response, IAB stated its reservations about the DPA pre-empting the CJEU’s response in relation to an appeal that is still awaiting a preliminary ruling. These include the assumption that TC Strings are considered personal data and that IAB is considered a joint controller of processing activities performed by TCF participants. IAB states that its reservations stem from a position of sustainable development and not “initiat[ing] changes to the TCF that might need to be rolled back at the end of the appeal process.”
This ruling came amidst several regulatory and industry shifts impacting the AdTech ecosystem. More publishers, marketers, and industry thought leaders are questioning how they can offer consumers personalization while maintaining user privacy.
The Belgian DPA’s decision identified underlying compliance issues with real-time bidding, and as a result, the industry will need to come together to update existing or create new standards or frameworks that build trusted relationships between publishers, advertisers, and consumers. First-party data and cookie-blocking solutions are likely to become increasingly important moving forward.
IAB Europe has since presented an action plan to the DPA which has been approved. Although currently there are few public details on the changes that publishers will need to make to their web properties to align with the new framework, IAB Europe will have to implement the changes to the framework.
Website operators using TCF will also need to publish updates to their CMP in order to adopt the changes required by the action plan. OneTrust is monitoring the case closely and has prepared an action plan for when a formal decision is made on TCF.
As an immediate result of the decision, the Belgian DPA issued a €250,000 administrative fine to IAB Europe in light of its findings as well as noting that the TCF may lead to a loss of control of large quantities of personal information.
The longer-term impact of the decision rests on the Belgian DPA’s approval of IAB Europe’s action plan. IAB Europe has to implement the changes approved by the DPA bringing the TCF into compliance with the GDPR, although the timeline for implementation is still yet to be finalized.
Without further details of the action plan, it is difficult to say what the TCF will look like once remedied, however, the Belgian DPA outlined a set of corrective actions that IAB Europe should seek to include in their action, which will likely feature in the approved remediation. These include establishing a valid legal basis for processing and sharing personal information; prohibiting organizations that participate in the TCF to rely on legitimate interest as a legal basis for processing; and establishing procedures to vet organizations that participate in the TCF to ensure they comply with the GDPR’s requirements as well as setting stronger data protection-related requirements for CMP user interfaces.
The Belgian DPA has stated that it will not communicate the content of the action plan at this time due to the proceedings pending before the courts and tribunals. Therefore, publishers will have to watch this space carefully over the next few months for updates relating to the TCF and the actions they will need to take as a result.