Update On The Belgian Data Protection Authority’s Investigation Of IAB Europe
Brussels, 5 November 2021 – IAB Europe is informed by the Belgian data protection authority (the APD) that its Litigation Chamber is close to finalising a draft ruling that will conclude its investigation of IAB Europe and its role in the Transparency & Consent Framework (TCF). The draft ruling is expected to be shared with other Data Protection Authorities (DPAs) in the coming 2-3 weeks under the Cooperation Procedure laid down in the GDPR. Those DPAs will have 30 days to review it. Depending on the outcome of that review, the APD may adopt a final ruling or the matter may be referred to the European Data Protection Board for a binding decision.
The draft ruling will apparently identify infringements of the GDPR by IAB Europe, but it will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling, in a process that would involve the APD overseeing the execution of an agreed action plan by IAB Europe.
The purported infringements are a consequence of the APD’s particular interpretation of the GDPR, as explained below.
The draft ruling is expected to find IAB Europe to be a data controller for TCF “TC Strings”, the digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content and measurement. The APD is understood to consider these signals to be personal data. It is also expected to find IAB Europe to be a joint controller for TC Strings in the specific context of OpenRTB.
Based on guidance from other DPAs up to now and the fact that IAB Europe does not in any way process, own, or decide on the use of specific TC Strings, as well as relevant case law and its own interpretation of the GDPR, IAB Europe has not considered itself to be a data controller in the context of the TCF. Therefore, it has naturally not fulfilled certain obligations that accrue to data controllers under the Regulation. The draft ruling will require IAB Europe to work with the APD to ensure that these obligations are met going forward.
We are optimistic that work on the action plan under the APD’s supervision should enable the approval of the TCF as a GDPR trans-national Code of Conduct (CoC) by the APD and the full European Data Protection Board (EDPB). Since launching the TCF in 2018, IAB Europe has been keen on evolving it into a CoC, an aspiration that has been explicitly encouraged by a number of DPAs but has had to be put on hold pending the outcome of the present case.
We look forward to the outcome of the Cooperation Procedure and stand ready to work with the APD and other DPAs to support companies in the digital advertising industry to ensure that they fully comply with the requirements of EU law.