Last week, the Belgian Data Protection Authority (DPA) approved the Interactive Advertising Bureau (IAB) Europe’s “action plan” for bringing the Transparency and Consent Framework (TCF) into compliance with the General Data Protection Regulation (GDPR).
This approval comes as somewhat of a surprise given the harsh criticism the DPA gave the TCF in a decision about the framework last February.
But the Belgian DPA’s approval doesn’t solve the adtech ecosystem’s myriad privacy problems. Expect the uncertainty around the TCF to continue for some time.
Data protection and privacy professionals are used to dealing with uncertainty.
Ensure you keep up-to-date with how industry leaders are solving the sector’s biggest challenges by attending Last Thursday In Privacy, a livestream event taking place on 26 January.
→ Privacy Program Management: How Companies Can Best Juggle Their Compliance Requirements - 26 January 2023, 14:00 - 14:45, data protection experts will discuss best practice for managing your organisation’s data protection operations. Speakers include; Samuel Famolu of BCD Travel, Geoffrey Ceunen of RESPONSUM, James Leaton Gray of Ozone and Elizabeth Smith of The Chartered Institute of IT.
The TCF v2.0 was supposed to be a “cross-industry best practice standard” to help thousands of publishers, adtech vendors, and CMPs comply with GDPR.
But it wasn’t.
The TCF all fell apart last February. The Belgian DPA found the framework to be incompatible with GDPR. The regulator highlighted numerous issues with how personal data was collected and shared under the scheme.
The decision is complicated, but it has significant implications for thousands of companies in the digital marketing space.
The Belgian DPA’s Decision
Despite overseeing the processing of vast quantities of personal data via the TCF, the IAB always denied it was a “data controller” under the GDPR.
Therefore, the group argued that it had no data protection obligations.
In a complaint against the IAB—spurred on by the alleged abuses of people’s privacy under the “real-time bidding” (RTB) online advertising process—civil society groups sought to establish that the IAB itself fell within the scope of the GDPR.
To do this, the complaint sought to establish that the IAB was itself controlling personal data.
A key issue in the case was whether the IAB’s “TC String”—a code that expresses data about users’ advertising consent preferences—was considered “personal data” under the GDPR.
The IAB denied this, arguing that the TC String could not identify any individual. But the DPA disagreed, determining that the TC String was personal data in certain contexts.
“To claim that individuals are not identifiable, when the purpose of the processing is precisely to identify them, would be a contradiction in terminis,” the DPA said.
Another key question in the case was whether the IAB was a “joint controller” of the data..
Citing a 2014 Court of Justice of the European Union (CJEU) case known as “Jehovah’s Witnesses”, the IAB argued that it was merely a “managing organisation” and did not “organise, coordinate or promote” the processing of personal data.
However, the DPA again disagreed. Given that the TC String is personal data, the fact that the IAB modified, stored and shared that personal data made the group a joint controller.
In its decision against the IAB, the DPA ordered to the group to, among other things:
- Delete the personal data it had processed “unlawfully”.
- Prohibit reliance on “legitimate interests” for setting cookies under the TCF.
- Require TCF participants to be more transparent.
- Pay a small fine.
The IAB appealed to the Belgian Market Court, which referred six questions to the CJEU. I examine these questions in some detail in this article from last year.
The outcome of this case will have huge implications for the adtech industry.
The Action Plan
Despite this ongoing CJEU case, the IAB has created an action plan for bringing the TCF into compliance.
The Belgian DPA announced last week that it had approved the plan and given the IAB six months to implement it.
We don’t know much about the action plan at this stage. But the IAB has revealed two interesting insights.
According to the IAB, the action plan assumes that:
- The TC String is personal data.
- The IAB is a joint controller.
However, the IAB also warns TCF participants that “…implementation of the action plan… would entail operating changes for TCF participants that may ultimately be found inadequate by the European Court.”
As a result, uncertainty around the TCF is expected to continue for some time.
Last Thursday in Privacy is a GRC World Forums initiative that takes place on the last Thursday of the month to provide up to the minute information and advice to organisations regardless of where they are in the world.
This ‘Last Thursday in Privacy’ event will take place on January 26th 2023, as part of the international Data Privacy Week, and will be hosted on the GRC World Forums engagement hub.
→ In Privacy Program Management: How Companies Can Best Juggle Their Compliance Requirements - 26 January 2023, 14:00 - 14:45, data protection experts will discuss best practice for managing your organisation’s data protection operations. Speakers include; Samuel Famolu of BCD Travel, Geoffrey Ceunen of RESPONSUM, James Leaton Gray of Ozone and Elizabeth Smith of The Chartered Institute of IT.