Brussels, Belgium 25th January 2024 - IAB Europe, the European level association representing a diverse membership of digital marketing, digital advertising and media companies, has submitted its observations to the European Commission on the Multistakeholder Expert Group Questionnaire for the 2024 Report on the Application of the GDPR. In its response, IAB Europe underscores several priority issues requiring attention under the GDPR. These include the imperative for more consistent application of data protection laws, enhanced education and awareness about the GDPR, and the necessity to support research and development into innovative data protection technologies by better applying the risk-based approach.
- To promote a more consistent application of the GDPR, IAB Europe advocates for aligning national rules and harmonising domestic procedures among Member States. This approach aims to address inconsistencies, prevent duplicative actions, and alleviate administrative burdens on local courts and companies dealing with multiple claims on the same matter. IAB Europe emphasises the need to avoid divergence in interpreting the GDPR between Data Protection Authorities (DPAs) and national courts during civil proceedings.
- Most importantly, IAB Europe argues against ruling out the choice of legal bases a priori. Instead, IAB Europe proposes a case-by-case assessment, accompanied by clear guidance applicable across the EU that does not disproportionately restrict digital businesses and is applicable across the EU.
- In refining GDPR concepts, IAB Europe recommends additional guidance to clarify specific definitions, including the interpretation of 'unlawfully processed data’. IAB Europe stresses the importance of aligning enforcement actions with the principle that joint responsibility does not imply equal responsibility. This entails delineating clear responsibilities between joint data controllers to avoid placing disproportionate expectations on individual companies.
- IAB Europe advocates for the improved functioning of DPAs through enhanced personnel training and increased communication with the industry. Additionally, IAB Europe highlights concerns about the zero-risk approach by DPAs, which contradicts the concept of appropriateness and hinders the development of anonymisation techniques.
- Regarding the EDPB Guidelines, IAB Europe suggests an improved consultation process to ensure comprehensive stakeholder input, including from business associations, before the initial draft is produced. Furthermore, in the context of Codes of Conduct (CoC), IAB Europe recommends a simplified drafting process, active DPA engagement in code development, and the recognition of tools like IAB Europe’s Transparency & Consent Framework (TCF) as a transnational GDPR Code of Conduct. This approach would offer substantial compliance benefits to consumers and the industry, fostering improved market coverage and a streamlined user experience, particularly in inherently transnational sectors such as digital advertising.
- IAB Europe encourages striking a balanced approach between data protection and innovation, considering the diverse impacts of technologies on user privacy. IAB Europe stresses the importance of a meticulous assessment and articulation of the GDPR's interaction with laws like the AI Act, DSA, DMA, and Data Act, without necessitating the reopening of the GDPR.
The response is rooted in the lessons learnt by our members while striving to comply with GDPR rules. It underscores the need for a consistent application of the GDPR in the EU and clearer guidance from data protection enforcers. Finally, IAB Europe express its commitment to an ongoing dialogue on GDPR enforcement with policymakers to serve the interests of both businesses and consumers
Download the response here