Belgian DPA Issues Final Decisio...
Belgian DPA Issues Final Decision in IAB...

Belgian DPA Issues Final Decision in IAB Europe Case

Belgian DPA finds IAB Europe’s Transparency and Consent Framework (TCF) in violation of GDPR

clock6 Min Read

Featured Image

On February 2, 2022, the Belgian DPA issued its decision in the case brought against IAB Europe and its Transparency and Consent Framework (TCF). The case centered around a number of complaints made to the Belgian DPA in 2019 relating to the role that the IAB TCF plays in the OpenRTB system and its use of ‘TC Strings’ to capture data subjects’ consent preferences.

The Belgian DPA issued its draft decision in November 2021, giving the relevant supervisory authorities four weeks to provide feedback under the one-stop-shop mechanism. In its decision, the Belgian DPA highlighted that the draft decision received ‘serious scrutiny’, and two objections were incorporated into its final decision. The Belgian DPA has subsequently found that the IAB Europe and the TCF does not comply with many of the provisions of the GDPR and has issued a monetary penalty of €250,000 as well as giving IAB Europe two months to present a corrective action plan.

What is the IAB Europe Case?

In 2019, 22 complaints were made to the Belgian DPA relating to the IAB TCF and whether it violates the GDPR which resulted in the Belgian DPA launching an investigation.

In 2020, it was concluded that the IAB TCF was in breach of the GDPR due to the framework allowing organizations to swap personal information about data subjects without prior authorization as well as the IAB TCF not providing adequate controls for the processing personal data in the OpenRTB system.

13 months later, the Belgian DPA notified IAB Europe that it was close to finalizing a draft ruling in the case, specifically in relation to the use of ‘TC Strings’ for sharing consent preferences within the framework. The Belgian DPA’s draft findings were subsequently disseminated to the relevant supervisory authorities in Europe pursuant to Article 60 of the GDPR for their feedback. The concerned authorities had four weeks to provide their feedback which was incorporated in the final decision issued by the Belgian DPA.

What were the findings of the Belgian DPA in the IAB Europe Case?

In its final decision, the Belgian DPA stated that it found IAB Europe to be acting as a data controller in relation to processing data subjects’ consent preferences through ‘TC Strings’. As a result, IAB Europe can be held responsible for infringements of the GDPR’s provisions. In particular, the Belgian DPA noted that it had found IAB Europe to be in breach of the following violations:

  • Failure to establish a lawful basis for processing personal information
  • Failure to adequately inform data subjects of the nature and scope of the processing given the complexity of the TCF
  • A lack of technical and organizational measures in line with the Privacy by Design/Default principle
  • Failure to keep a record of processing activities
  • Failure to appoint a Data Protection Officer (DPO)
  • Failure to conduct a Data Protection Impact Assessment (DPIA)

The Belgian DPA also included in its findings that IAB Europe as well as consent management platforms (CMPs), publishers, and participating AdTech vendors should be regarded as joint data controllers for the purposes of collecting and processing the consent preferences of the data subject.

“The processing of personal data (e.g. capturing user preferences) under the current version of the TCF is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness. People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads. Although it concerns the TCF, and not the whole real time bidding system, our decision today will have a major impact on the protection of the personal data of internet users. Order must be restored in the TCF system so that users can regain control over their data.” – Hielke Hijmans, Chairman of the Litigation Chamber of the Belgian DPA

What was IAB Europe’s Response?

On February 2, 2022, IAB Europe issued its own statement in response to the Belgian DPA’s findings. The statement acknowledged the decision issued by the Belgian DPA; however, it rejected the finding that it acts as a data controller in the context of the TCF. IAB Europe also stated it was exploring its legal options to challenge the findings.

In addition, IAB Europe highlighted that the decision does not represent a prohibition on the use of the TCF and has requested an extension to the two-month time frame issued to six months in order to present corrective measures.

What Does the Belgian DPA Ruling Mean for Website Owners Using TCF?

This ruling comes amidst several regulatory and industry shifts impacting the AdTech ecosystem. More publishers, marketers, and industry thought leaders are questioning how they can offer consumers personalization while maintaining user privacy.

The Belgian DPA’s decision has identified underlying compliance issues with the real time bidding’, and as a result, the industry will need to come together to update existing or create new standards or frameworks that build trusted relationships between publishers, advertisers, and consumers. First-party data and cookie blocking solutions are likely to become increasingly important moving forward.

Although IAB Europe has a two-month period to present an action plan to the DPA, publishers leveraging the TCF may want to consider transitioning from the TCF to an alternative consent and preference management mechanism to comply with the GDPR. Once a publisher has removed the TCF, publishers may need to block AdTech signals entirely until consent is provided by the audience.

If TCF is removed, OneTrust customers have the option to load non-personalized or contextual ads until consent is provided by the website visitor. Publishers may also need to update any mobile applications leveraging the TCF to comply with the findings of this ruling. Customers may expect changes in their website app monetization strategy and customers are encouraged to test any changes prior to deploying any updates.

What’s Next in the IAB Europe Case?

As an immediate result of the decision, the Belgian DPA has issued a €250,000 administrative fine to IAB Europe in light of its findings as well as noting that the TCF may lead to a loss of control of large quantities of personal information.

In the longer term, the Belgian DPA has order IAB Europe to develop and present a plan of corrective actions to be presented within two months to bring the TCF into compliance with the GDPR. The Belgian DPA has outlined that corrective actions IAB Europe should seek to remedy include: establishing a valid legal basis for processing and sharing personal information; prohibiting organizations that participate in the TCF to rely on legitimate interest as a legal basis for processing; and establishing procedures to vet organizations that participate in the TCF to ensure they comply with the GDPR’s requirements.

Further resources on the IAB Europe case:  

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest regulatory news. 

You Might Also Be Interested In

SEPTEMBER 20, 2022

Anne Kenyon


Kelly Maxwell


Julie Yamamoto

AUGUST 31, 2022

Julie Yamamoto

AUGUST 30, 2022

Jason Koestenblatt

AUGUST 29, 2022

Kelly Maxwell

AUGUST 29, 2022

Ashlea Cartee

AUGUST 26, 2022

What is GPC and How Can the OneTrust Consent Management Platform (CMP) Support?

Onetrust All Rights Reserved