3 March 2022, Brussels, Belgium – IAB Europe today announced a suspension of all cooperation with IAB Russia and IAB Belarus, following the Russian invasion of Ukraine earlier this week and the announcement that Belarus is acting in support of the government of Vladimir Putin.

“We regret taking this step against partner organisations, but the brutality of Russia's unprovoked attack against a sovereign European country gives us no choice but to use every lever at our disposal to increase its isolation,” said IAB Europe CEO Townsend Feehan.  “IAB Europe stands with our innocent Ukrainian colleagues in Kiev and elsewhere, who are continuing to work under shocking circumstances.”

About IAB Europe

IAB Europe is the European-level association for the digital marketing and advertising ecosystem. Through its membership of national IABs and media, technology and marketing companies, its mission is to lead political representation and promote industry collaboration to deliver frameworks, standards, and industry programmes that enable business to thrive in the European market.

24 February, Brussels, Belgium - IAB Europe today expressed its solidarity with, and support for, its colleagues in Ukraine and their families.  “In the week-to-week cut and thrust of our policy advocacy in Brussels, it is easy to forget why the European Union was created”, said IAB Europe CEO Townsend Feehan.  “The events of the past few days are a powerful reminder.  We are alarmed and saddened that in 2022, friends and colleagues in a sovereign European country can be confronted with armed conflict and a military invasion of their homeland.  We hope and pray for their safety.”

IAB Europe is recruiting a full-time Privacy Compliance Officer to join our Brussels-based privacy team. The candidate should have a basic understanding of the European data protection framework and an interest in its impacts on technological development, especially digital advertising and media.

Scope of the Role: Key Responsibilities

The Privacy Compliance Officer will report to IAB Europe’s Privacy Director. The Privacy Compliance Officer will be responsible for executing IAB Europe’s compliance programmes in the context of the association’s GDPR compliance standard, the Transparency & Consent Framework (TCF). Tasks and responsibilities include but are not limited to:

• Assisting the Privacy Director in the development of privacy compliance programmes for Consent Management Platforms (CMPs) and digital advertising intermediaries (AdTech vendors)
• Carrying out manual and automated privacy compliance assessments on digital properties (websites, apps) across key European markets
• Carrying our privacy compliance audits of ad tech intermediaries registered on the TCF’s Global Vendor List (GVL)
• Liaising with external contractors for the development of automated privacy compliance tools
• Processing and assessment of compliance complaints
• Supporting the Privacy Director and Privacy Counsel in overseeing and managing TCF Working Groups

Profile

Professional attributes:

• A degree in law or IT
• Basic working knowledge of EU privacy and data protection rules
• Strong written and oral communication skills
• An interest in digital advertising and the ability to interact confidently with high-level industry professionals
• Fluency in English and at least 1 other EU/EEA language
• Interest in privacy compliance in the digital space

Personal attributes:

• Strong communicator
• Able to work autonomously and take initiative
• Structured and organised
• Approachable
• Rigorous with eye for detail

What’s in it for you?

• Opportunity to work at the cutting edge of the development and implementation of privacy and data protection laws in a rapidly changing sector that is the the forefront of online technological innovation
• Learn about the technical and legal ins and outs of digital advertising online
• Develop expert knowledge of privacy compliance online
• Visibility, engagement and interaction with senior staff in leading local and global technology and media businesses
• Possibility to work from home several days per week.

Location: Brussels

Type: Full-time

Salary: Commensurate with experience

Contract type: Indefinite

To apply, please send your CV & a covering letter by email to jobs@iabeurope.eu with a subject line: ‘Privacy Compliance Officer - Application’.

While we may not be able to reach out to every applicant, we will contact candidates whose skills and experience are a strong match for the position.

Following the publication of the Decision of the Belgian Data Protection Authority of 2 February 2022 on the Transparency & Consent Framework (TCF), many sources have published partial or incorrect information about the scope of that Decision. This information includes guidance from two European data protection authorities (DPAs) advising publishers and others to switch from using the TCF, despite the fact that (i) the Decision is an administrative one that is subject to appeal (see IAB Europe’s announcement in this respect) and (ii) the Belgian DPA gave a period of two months to come up with a plan with corrective measures to remedy alleged non-compliance and an additional six months to implement such measures.

The DPAs making statements in this respect are aware of this, as they have been involved in the decision-making process led by the Belgian DPA and endorsed the remediation period.

IAB Europe wishes to reiterate that the TCF is a voluntary minimum standard created to help publishers establish and document the GDPR legal basis for the processing of users’ personal data by third parties who deliver and measure digital advertising on their sites. The Belgian DPA has not prohibited the TCF, but has instead ordered IAB Europe to introduce additional functionality and propose corrective measures, confirming that the alleged infringements can in its view be remedied.  The version of the Framework that emerges from this process will be an even stronger standard.

If publishers, vendors and CMPs wish to adapt their use of the TCF in the meantime, they remain free to do so, and they can in this context take into account the Belgian DPA’s suggestions of additional information disclosures as well as its guidance regarding the use of legitimate interests as a legal ground for profiling.

11 February, Brussels, Belgium: IAB Europe confirmed today that it will appeal the Belgian Data Protection Authority (APD)’s administrative ruling regarding IAB Europe and the Transparency & Consent Framework (TCF) to the Belgian Market Court.

The administrative ruling’s finding that IAB Europe acts as a joint controller for profiling and other data processing done by TCF vendors in the context of OpenRTB is disputed by IAB Europe.

“IAB Europe is a small trade association that has been creating and iterating on a framework for data protection best practices in continual consultation with the authorities. It cannot have been the intention of the European legislator that a body like ours should bear legal responsibility for the data processing activities of an entire industry,” said Townsend Feehan, IAB Europe CEO. “We have no choice but to appeal.”

“We believe the controversial ruling that IAB Europe is a data controller for information processed for TCF purposes is based on a misunderstanding of the facts and a misapplication of the law. This establishes an irrational legal precedent. It will have the perverse effect of discouraging other standard-setting organisations from investing in instruments that aim to protect users and facilitate the exercise of their rights under the GDPR.”  

IAB Europe believes appealing is the right decision to avert unintended negative consequences that go well beyond the changes that the APD wants to see made to the TCF, and which could impact the wider digital advertising industry. Notwithstanding, IAB Europe looks forward to working with the APD and other data protection authorities to ensure the TCF’s continuing utility in the market, and with the ultimate aim of having the TCF approved as a transnational GDPR Code of Conduct.

Supervisory authorities from across the European Union were involved in the process that led to the APD’s administrative ruling. While we believe it is unlikely that these authorities will take measures against IAB Europe or any commercial actors using the TCF until a final judicial ruling is rendered, we nevertheless call upon such authorities, in the spirit of EU-wide consistency and legal certainty, to publicly acknowledge that intent.  We also believe that any civil litigation that might ensue in other jurisdictions will likely be stayed pending resolution of IAB Europe’s appeal in the Market Court.  

Finally, we are aware that certain advocacy organizations are calling upon advertisers to cease using TCF and OpenRTB.  We find such a conclusion unfounded, first, because no advertisers are named parties in the Belgian ruling and second, because the APD has not ordered the IAB Europe to discontinue use of TCF pending its submission of a plan to the APD.  

For further information, please read and download the IAB Europe FAQ Document here. 

The Belgian Data Protection Authority (APD) handed down on 2 February 2022 a decision on IAB Europe and the Transparency & Consent Framework (TCF). What does this decision actually say, and what does it mean for the TCF itself, for IAB Europe, for vendors, publishers and consent management platforms (CMPs)?

Read our FAQ document to find answers to these questions and more.

The document addresses questions including:

• Are TCF CMP pop-ups illegal?
• Should all data collected via the TCF be deleted?
• Will IAB Europe appeal to the Market Court?
• Will TCF be made into a code of conduct?
• Are TCF participants at risk now towards their local Data Protection Authority?

Read and download the full FAQ document here.

2nd February, Brussels, Belgium: IAB Europe acknowledges the decision announced today by the Belgian Data Protection Authority (APD) in connection with its investigation of IAB Europe.  We note that the decision contains no prohibition of the Transparency & Consent Framework (TCF), as had been requested by the complainants, and that the APD considers the purported infringements by IAB Europe that it has identified to be susceptible of being remedied in six months.

We reject the finding that we are a data controller in the context of the TCF.  We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry.  We are considering all options with respect to a legal challenge.

Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market.  As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin.

For more information on the APD decision on IAB Europe and the TCF, please visit our FAQ document here.

In a note published last week, the Irish Council of Civil Liberties (ICCL) criticised IAB Europe’s efforts to monitor adtech vendors’ compliance with their commitments under the Transparency & Consent Framework (TCF). In particular, it called out IAB Europe’s “inability to audit what 1000+ companies that use TCF do with personal data”, and concluded that transparency and control “cannot be established”.

Presumably, the above reasoning explains why, according to the ICCL, data-driven advertising should be banned and any industry compliance initiative should itself be immediately discredited and prohibited. In other words, since it is impossible to guarantee absolute compliance, it would be better to do nothing. If one would, by analogy, apply the same reasoning to national data protection authorities (DPAs) - responsible for enforcing data protection rules - then these should all just close shop in light of their inability to continuously audit all data processing everywhere.

Luckily, both DPAs and IAB Europe take a somewhat less defeatist attitude to compliance and enforcement. And while IAB Europe is in no way a DPA, nor does it have the same powers as a DPA, it continuously strives to improve its monitoring and auditing capabilities in the context of the TCF.

As a reminder, the TCF is a voluntary standard that companies which serve, measure and manage digital, including personalised, advertising or content can use to assist with their GDPR compliance. It doesn’t guarantee compliance, nor does it seek to help companies shirk their legal responsibility. It’s just a step in the compliance process that every business that implements the Framework must undertake individually. Portraying it as anything else signals a misunderstanding of the instrument and its objectives.

As an integral part of the TCF, IAB Europe has been running a Consent Management Platform (CMP) compliance programme since 2019. That programme comprises a pre-implementation validation stage and a post-implementation enforcement stage. 

In August 2021, the programme was improved and expanded to include monitoring of Vendor implementations for compliance with the TCF Policies and Technical Specifications. You can read more about the Vendor Compliance Programme here.

While it should be absolutely clear that the responsibility for correct implementation of the TCF, and ultimately compliance with the EU’s data protection framework, lies with the businesses that are subject to it, IAB Europe provides support and develops dedicated procedures to make sure the TCF is implemented properly. As managing organisation of the Framework, IAB Europe also imposes penalties in line with its prerogatives under the TCF Terms and Conditions to contractually sanction non-compliance.

The first iteration of the Vendor Compliance Programme launched in August last year falls within this objective. And while client-side vendor operations constitute the focus of what is only an initial phase, its scope includes systematic large-scale monitoring of vendor behaviour at the point of data collection and, thus, an assessment of compliance with critical TCF policies, directly rooted in requirements set out in the ePrivacy Directive and the GDPR.

In particular, and contrary to the claims put forward by the ICCL, the programme not only monitors the writing and reading of cookies by Javascript and non-Javascript tags. It also audits all http requests and responses, and attempts to identify instances where vendors may not be collecting or transmitting personal data in accordance with the user’s preferences.

Crucially, to ensure accuracy of results, the auditing relies on both automated crawls and manual testing of web pages. This precludes any bad players within the system from circumventing the programme and evading their commitments towards the user and the industry as a whole.

It’s worth noting that such compliance monitoring and auditing is possible precisely because of the standardised and open format for signaling user preferences established by the TCF. This would not be possible with any other consent structure in use today. Our hope is that DPAs in particular, will consider leveraging the compliance auditing opportunities it offers.

For more information on the TCF Vendor Compliance Programme, please see this dedicated notification.

20 January 2022, Brussels, Belgium – The European Parliament has voted to accept new amendments to its position on the Digital Services Act, which will be put to a final vote today. A number of these provisions give cause for concern for all those who support an efficient, secure and prosperous European digital market. 

Amendment 202, on online interfaces, prohibits service providers from ever asking for consent for data processing if a user has objected “by automated means using technical specifications”. We are concerned that this means that individual website or app publishers who want to request consent for legitimate purposes will be barred from doing so if a user has checked a box at the browser or OS level. This would strengthen the gatekeeper role of dominant players and have a disproportionate effect on small publishers. 

Amendments 498 and 499 demand that services provide equal access and functionality to users who refuse consent for data processing for the purposes of advertising. This risks creating a ‘free rider’ problem and putting in peril huge swathes of the ad-supported information economy. 

Commenting on the vote, IAB Europe Director of Public Policy Greg Mroczkowski said:

“The use of personal data in advertising is already tightly regulated by existing legislation. It is disappointing that in a mistaken belief that targeted advertising causes online disinformation or breaches privacy and data protection principles, MEPs have decided to pass amendments that not only overlap with the GDPR and existing consumer law but risk undermining these rules, as well as the entire ad-supported digital economy. 

“We urge policymakers to take good account of the progress currently being made in GDPR enforcement and reconsider these amendments during the trilogue process to ensure we end up with a DSA that provides legal certainty for all actors.

“Ultimately, a Digital Services Act that boosts transparency and certainty across the online economy is in everyone’s interests. We will be consulting with our members and all interested stakeholders to try to come up with solutions that are workable, secure and efficient.” 

The Digital Services Act (DSA) is poised to shape Europe’s digital future for decades to come. But as the legislation has been debated and discussed, there have been a significant number of proposals that would vastly expand its scope – and could profoundly change the way we operate online. 

With the European Parliament plenary session to be held next week in Strasbourg, IAB Europe organised a roundtable discussion, The Digital Services Act: What Can We Expect from the Plenary Session?, where we were pleased to host Slavina Ancheva, Parliamentary Assistant to MEP Eva Maydell (EPP, Bulgaria), Benedikt Blomeyer (Director EU Policy, Allied for Startups), Tim Geenen (Managing Director, LiveRamp) and Fernando Parreira (Business Director, SAPO). The discussion was moderated by MLex’s Chief Correspondent Matthew Newman and saw participants share their insights on the state of play of the DSA debate.

One of the most prominent proposals in the DSA has been to introduce a blanket ban on targeted ads. This essential – unfairly maligned – low-cost marketing tool has been transformative for businesses large and small throughout the pandemic. It has allowed SMEs to reach new audiences across Europe and convert them into paying customers. Enterprises that have embraced digital tools have fared significantly better amid the uncertainty of Covid-19 and, as Allied for Startups’ Benedikt Blomeyer highlighted last Wednesday, they are essential for startups too.

MEPs in the Internal Market and Consumer Protection (IMCO) Committee voted to avoid the blanket ban that would have had devastating consequences for consumers and businesses across Europe. This is to be welcomed but concerns remain about the scope of new measures that could make their way in during the plenary vote. Indeed, Slavina Ancheva cautioned that proposals for a ban could reappear during the plenary session, though she does not believe such a proposal would garner enough support to pass.

There are also open questions around practical implications of a ban on targeting minors, with an underlying concern about whether age verification of users’ will be allowed under the new rules. If a robust, reliable and affordable method of age verification cannot be used, these measures could potentially amount to a full ban on targeted advertising.

There has also been talk by some MEPs of using a wide-ranging ban on so-called ‘dark patterns’ as a way of banning targeted advertising by the back door. Sweeping language in the proposed Article 13a (1)(b) and (e) would take away the right of publishers to independently hold a dialogue with their users on consent for advertising purposes and heavily interfere with existing provisions in the EU’s consumer law and data protection framework, which are already being interpreted and applied by Data Protection Authorities (DPAs). Similarly, proposals relating to ‘consent’ around the use of personal data in targeting risk duplicating and undermining existing legislation.

Overlapping and sometimes conflictual rules would represent a significant regulatory burden for thousands of small businesses across Europe and could undermine the broader digital advertising ecosystem. 

What is needed is proper enforcement of the EU’s world-leading General Data Protection Regulation (GDPR), not new measures – a point agreed with by Fernando Parreira and Tim Geenen, who said the way to go for any new legislative instrument should be to empower users in line with the GDPR requirements.

There remains a wide divergence in the views of policymakers and the final outcome remains unclear. This was illustrated during a Targeting Startups event which saw MEP Henna Virkkunen (EPP, Finland) state that targeted ads are vital to SMEs. On the other hand, MEP Patrick Breyer (Greens/EFA, Germany) claimed that contextual advertising is an adequate replacement for the existing business model. Above all this, the lead rapporteur Christel Schaldemose (S&D, Denmark) spoke of her aim of “reinforcing the intention of the GDPR” by making it easier “to refuse digital ads than accepting ads”.

Such a discrepancy of views will need to be reconciled ahead of the vote, a task that will not be easy. MEPs must remain alive to the risks of a ban or heavy restrictions on targeted advertising. Otherwise, businesses and consumers could be facing far-reaching, irreversible unintended consequences that will impact the very fabric of our free and open internet.

14 December 2021, Brussels, Belgium - IAB Europe issued a cautious welcome to the report approved today by the European Parliament’s Internal Market and Consumer Protection Committee (IMCO) on the proposed Digital Services Act (DSA).

The IMCO votes mark a critical step in the passage of the DSA ahead of a plenary vote in the Parliament in January and crucial trilogue negotiations among the EU institutions later next year.

While some MEPs in IMCO had called for a ban or harsh restrictions on data-driven advertising, the subsequent debate brought the value of targeting for small and medium enterprises (SMEs), Europe’s media and to consumers themselves into sharp relief. 

Commenting on the IMCO votes, IAB Europe CEO Townsend Feehan said:

We’re pleased that IMCO did not agree to a blanket ban on “targeted ads” which would have done nothing to enhance users’ safety online, including addressing the major societal challenge of online disinformation, and would have had other significant unintended consequences. Data-driven advertising helps smaller publishers and providers of other online services compete with the biggest players and ensures that users have access to a diversity of sources without paying for subscriptions. The value of targeted ads as one of the most useful marketing tools available for SMEs has been well-evidenced, and we must not take away the chance to support these small businesses who fuel our European economy.

Concerns remain about the risk of overlap and contradictions with EU data protection law if some of the language approved today ends up in the DSA. So-called ‘dark patterns’ influencing user choices should be mitigated by the use of existing tools of enforcement, including detailed guidance provided by Data Protection Authorities. We call on the Parliament and the Council to be sensitive to the risk of running into a legal quagmire in the remaining phases of the legislative process. 

We’ll continue to engage with policymakers to ensure there is good appreciation of the strong consumer protections that are already built into the law and of existing industry efforts to enable transparency and choice in relation to the use of personal data for digital advertising and marketing.  

In this blog post, as featured in the EU Observer, IAB Europe's Director, Public Policy, Greg Mroczkowski, shares what has been missing from the debate on personalisation in advertising and how privacy and personalisation can in fact go hand-in-hand. 

As the European Parliament’s Internal Market and Consumer Protection Committee (IMCO) prepares to vote on its opinion on the Digital Services Act (DSA) next week, the fate of targeted ads will become clearer. There’s been much speculation over what the precise outcome will be when it comes to targeted ads but the debate has highlighted how digital advertising is not a simple black and white issue but one that has major ramifications for small businesses and small publishers across Europe. 

Ahead of the vote, it’s important to remember that targeted ads are a vital part of the day-to-day operation of thousands of businesses in Europe. They are effective at reaching new audiences, converting those audiences into customers, and giving businesses the ability to compete and grow. Targeted advertising is more than twice as effective at reaching new customers than contextual advertising, and is a low-cost, essential tool that is particularly useful for SMEs. And SMEs drive more than half of Europe’s GDP, employing over 100 million Europeans.

After the Covid-19 pandemic -- which has pushed operations for most businesses almost exclusively online as lockdowns became the norm -- many SMEs, which are the backbone of Europe’s economy, are still recovering. They simply cannot afford to lose the ability to effectively market their products right now.

For publishers, the situation has been most challenging too. Targeted ads command a premium that contextual advertising just doesn’t match. Where traditional media outlets have faced declining print circulations, digital advertising has proven a fruitful new source of revenue for many publishers. Indeed, at last week’s European News Media Summit, Commissioner Breton highlighted the dramatic drop in ad revenues seen by the traditional news media which has been grappling with a rapid digital transition.

What has been missing from the debate on personalisation in advertising is that privacy and personalisation can go hand in hand. Safeguarding privacy and data protection must be paramount, and there are tools to do that, in the form of the General Data Protection Regulation (GDPR). Enforcement of the existing law should pave the way for ensuring that the data-driven advertising business model is kept in check.

We must also remember that targeted ads help to fund a free and open internet. With 68 percent of Europeans saying they would never pay for news content online, the revenues generated by targeted ads play a vital role in supporting a pluralistic media landscape and maintaining free access to news and content. Heavy restrictions on the ability to address marketing communications would drastically reshape the internet as we know it and restrict access to reliable sources of news to a privileged few. In an era of rising concerns over disinformation, this would be yet another blow.

Contextual advertising, often pushed as a catch-all solution by opponents of targeted ads, is not a panacea. While it is a relevant part of the online advertising ecosystem, they simply do not deliver the same reach to new customers or return on investment that targeting can. Giving businesses the flexibility to choose how they advertise to their customers and select the tools that serve them best is an essential element of the digital economy.

As we reach an important milestone in the updating of Europe’s digital rules, we must ensure that users are empowered with enhanced transparency to make informed choices about ad-supported content – in line with the significant transparency and accountability requirements under the GDPR'. It will go someway to helping policymakers ensure the DSA becomes a successful digital regulatory framework fit for the Twenty First Century which will drive and sustain businesses of all sizes for many years to come.