Last week, some media reports suggested that the system used by hundreds of thousands of website and app publishers to ensure transparency and consent around online advertising was found in breach of GDPR by the Belgian Data Protection Authority. There are inaccuracies in many of the early reports and IAB Europe refutes these as well as many of the preliminary findings of the Inspection Service of the Belgian DPA.
At issue is the Transparency and Consent Framework (TCF), which provides essential guidance for entities involved in digital advertising, to assist them in compliance with the GDPR. Managed by IAB Europe, the TCF was developed through a process which took three years and involved almost 100 organisations, multiple iterations and two major revisions. More information is available here.
The Inspection Service of Belgium’s Data Protection Authority recently contacted IAB Europe with a report that made a number of allegations about the Transparency and Consent Framework and about IAB Europe’s role in relation to it. IAB Europe will be providing a full written response to the report in due course.
Following presentation of IAB Europe’s written statement, and potentially statements from complainants, the Inspection Service will present its findings to the Litigation Chamber, an administrative court still within the Belgian Data Protection Authority. IAB Europe will also have recourse to appeal in the Belgian Courts.
Please see below a media release issued by IAB Europe on 29 October.
Brussels, 29th October: IAB Europe refutes criticisms of Transparency and Consent Framework
Commenting on recent media coverage of the Belgian Data Protection Authority’s report into IAB Europe’s Transparency and Consent Framework, Townsend Feehan, CEO of IAB Europe, said:
“It is surprising and disappointing to see the degree to which the initial media coverage of this got the contents of the report completely wrong. The report does not constitute an indictment of the Transparency & Consent Framework (TCF). Its findings in relation to the Transparency and Consent Framework reflect a basic misunderstanding of how it works, and as a consequence are either not relevant or highly subjective.
For example, the finding that the Transparency and Consent Framework needs rules on the processing of special category data is incompatible with the fact that you cannot use the Framework to process such data. Similarly, IAB Europe is not indifferent to non-compliant behaviour. TCF Policies contain explicit requirements for participants to notify IAB Europe where they identify a breach and to cease working with non-compliant parties.
Generally, IAB Europe strives to ensure full compliance with TCF Policies and the best practices set out therein, but in no way purports to take on the responsibility of enforcing the GDPR, a responsibility which falls on those authorities specifically designated for that purpose by the regulation.
Commenting on the characterisation of IAB Europe as a ‘data controller’ under the terms of the GDPR, Feehan said:
The real story in the report is the novel and unsubstantiated finding that an industry association that operates a standard intended to help its members comply with the law can be considered to be a data controller, thereby sharing legal liability with every company that implements the standard. This interpretation, if upheld, would eliminate at a stroke the possibility for any industry to develop a GDPR Code of Conduct, since such codes inevitably need a host organisation, and no non-profit organisation would ever contemplate taking on such risk.
The report’s impact on the Framework is negligible. Its impact on IAB Europe as an organisation, and on any other standards body operating in Belgium, is potentially detrimental, though it is unclear what consumer protection, if any, is advanced by this.
In conclusion, Feehan stated:
“The Transparency and Consent Framework is the most sophisticated and scrutinised model of GDPR compliance for digital advertising in the world. This preliminary report is only the first stage of the Belgian Data Protection Agency’s review and it has no impact on the operation of the Framework.
We pride ourselves on collaboration with all stakeholders and look forward to engaging with the Belgian authority on this matter, just as we have already engaged with several Data Protection Authorities in the development of the latest version of the Framework.
We take issue with many of the claims in the report but it is worth emphasising that we are only at an early stage. We will be making a robust defence of the Framework and the hundreds of thousands of website and app publishers and advertisers who rely on it every day to guide their operations.”