The Belgian Data Protection Authority (DPA) has ruled that IAB Europe’s Transparency and Consent Framework (TCF) does not comply with the GDPR. The TCF is designed to assist advertisers to comply with the GDPR when delivering targeted advertising to an end user. A user inputs their data preferences when visiting a website, and the TCF communicates these preferences with participating companies. In carrying out this collection and distribution of user data, the IAB was found to be a data controller rather than data processor and to be in breach of the following GDPR criteria:
- Lawfulness – IAB Europe lacked a legal basis for processing personal data via the TCF;
- Transparency and Information to Users – the transparency standard was not met for information required to be provided to users at the data preference selection stage;
- Accountability, Security and Data Protection by Design/Default – these measures to ensure effective exercise of data subject rights and to monitor the validity and integrity of users’ choices were not in place;
- As a consequence of being a data controller it had failed to keep a register of processing activities; appoint a Data Protection Officer; or to conduct a Data Protection Impact Assessment.
The DPA imposed the fine of €250,000 as well as a two-month deadline for IAB Europe to bring its TCF into compliance with the GDPR. IAB Europe has rejected the ruling: “We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.” IAB Europe may appeal the decision through the Market Court within 30 days. Unless there is a successful appeal, this decision will be a cause for concern for organisations operating in the adtech area – particularly those using the TCF.