The preliminary report contained the conclusions of an investigation conducted by the Inspection Service and alleged that IAB Europe violated the GDPR and Belgian data protection law. The report was issued following receipt of complaints from commercial and civil society organisations lodged with a number of EU Member State Data Protection Authorities in 2018 and 2019. These complaints contained sweeping allegations of non-compliance with EU law in connection with real-time bidding (RTB) for digital advertising, but also challenged the legality of the Transparency and Consent Framework (TCF), a standard developed by IAB Europe to enable companies to comply with certain requirements of the General Data Protection Regulation (GDPR) and ePrivacy Directive.
The APD’s preliminary report contains findings that appear to relate to the TCF and findings that relate to IAB Europe itself. In particular, it asserts that certain specific aspects of the TCF violate the GDPR, and that IAB Europe – as Managing Organisation of the TCF – is a “controller” of personal data processed by participants in the TCF. The majority of issues raised in the report appear to stem from this controllership finding.
IAB Europe believes that the report demonstrated a fundamental misunderstanding of the Transparency and Consent Framework. We reject the suggestion that the TCF violates the GDPR in any way and are confident that our response will result in the allegations being dismissed.
Clarifying the operation of the Transparency and Consent Framework
The Inspection Service report misunderstands and misrepresents the TCF, including the objectives it is intended to achieve and how it operates in practice.
It challenges the fact that the TCF allows for the processing of personal data on the basis of ‘legitimate interests’, suggesting that the TCF (and by extension, IAB Europe) “determines” this legal basis. However, it is the participants in the TCF who decide whether or not they want to rely on legitimate interests as their legal basis and for which purposes – the TCF does not decide or mandate that. And although several DPAs may not support the use of legitimate interests for profiling, the GDPR does not prohibit it. It cannot be correct to bring an enforcement action against an activity that is not prohibited.
The report also alleges that the TCF breaches the GDPR by not providing detailed rules for the processing of special category data. But the processing of this type of data is not permitted under the Framework – in fact, it is explicitly excluded from its scope. Finally the report suggests that TCF participants can simply flout the rules without any consequences and that CMPs “may” continue to transact with publishers whom they suspect of engaging in conduct that breaches the TCF Policies. This is simply untrue. The Policies explicitly require that CMPs who suspect publishers of conduct that breaches the Policies inform IAB Europe and cease working with the Publisher within TCF. They also strictly forbid CMPs from carrying out any publisher instruction that would breach the Policies.
Clarifying the role of IAB Europe
If it is unreasonable to target an enforcement action against an activity that is not prohibited, it is even more unreasonable to bring that action against an organisation like IAB Europe, which simply manages a best practice standard and which has no say in what purposes and legal bases individual companies decide to rely on.
With respect to the novel finding that IAB Europe acts as a data controller in the context of the TCF, we believe the report errs in its interpretation of the GDPR and relevant case law.
Processing decisions and operations are carried out exclusively by companies in the course of their business activities. These companies participate in the TCF to help with their legal compliance efforts but such participation is not in any way a precondition for them to process data or the reason why they process the data in the first place.
As a result, and since IAB Europe has no say in the purpose or means of data processing by participants, nor does it trigger such processing, it is not a controller under the definition of GDPR and prevailing case law and guidance.
IAB Europe has never been considered as a data controller in any Member State case law or guidance, despite the fact that multiple DPAs have issued opinions on online advertising, RTB and on the TCF itself.
It is unclear what consumer protection objective could be achieved by designating a trade association operating a legal compliance standard as a data controller.
It is also worth noting that should this highly unconventional interpretation of IAB Europe’s role in managing the TCF be upheld, it would eliminate at a stroke the possibility for any industry body to develop a GDPR Code of Conduct as no such body could sanely contemplate assuming this degree of responsibility for the actions of potentially hundreds or thousands of other organisations.
Conclusion and next steps
In conclusion IAB Europe is confident that our robust defence submitted today will ensure that these allegations will be dismissed and that the participants of the TCF will be able to continue to offer users greater transparency, choice and accountability, in full compliance with the GDPR. Data Protection Authorities have a responsibility to act in an impartial way, and we trust that the process operated by the APD will deliver a fair and unbiased ruling.
Upcoming milestones in the process are as below (timings as from the oral hearing remain speculative):