The General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) had been more than four years in the making when it finally entered into force on 25 May 2016. After a 24-month transition period, the GDPR replaced the existing patchwork of different national data protection laws in Europe, which were then implementing the 20 year old European Data Protection Directive, with a single, directly applicable European law as of 25 May 2018. IAB Europe consistently advocated for a GDPR that provides a high level of data protection for Internet users while enabling digital advertising to continue playing its important role for the Internet ecosystem in the future. To this end, IAB Europe has supported a risk-based approach to data protection, which would focus regulatory scrutiny and enforcement on data processing based on the meaningful risks for data subjects. IAB Europe has also consistently stressed the importance for the GDPR to provide clear rules that ensure legal certainty for companies.
IAB Europe recognises the fact that the GDPR adoption was a substantial milestone, establishing the principles of data protection for the foreseeable future, including, and indeed explicitly, in the digital advertising context.
Compliance with its provisions require material time and resources from companies that do business in and with the European Union. IAB Europe and its members invested considerable resources in developing the Transparency & Consent Framework (TCF), which increases transparency, choice and accountability in relation to how personal data is processed by different actors in the online media and advertising sectors. These legal compliance efforts, amongst others, inform our views on the application of the GDPR.
More recently – as we are awaiting the forthcoming European Commission’s report on the application of the GDPR, to be tentatively released in June 2020 – IAB Europe provided its input in the public consultation. Full comments can be found here.