Out-Law / Your Daily Need-To-Know

Ad body fined in Belgium over data protection failings

Out-Law News | 04 Feb 2022 | 2:35 pm | 2 min. read

Advertising industry body IAB Europe has been given six months to remedy data protection failings deemed to subsist in a mechanism that captures internet users’ preferences for online personalised advertising.

IAB Europe was also fined €250,000 by Belgium’s data protection authority after the regulator investigated complaints raised about the body’s Transparency & Consent Framework (TCF) and found that the way it works does not conform to the EU’s General Data Protection Regulation (GDPR). 

The TCF has been described by IAB Europe as creating “an environment where website publishers can tell visitors what data is being collected and how their website and the companies they partner with intend to use it”. It states that the framework “gives the publishing and advertising industries a common language with which to communicate consumer consent for the delivery of relevant online advertising and content”.

However, Belgium’s data protection authority took issue with the lawfulness of personal data processing facilitated through the TCF and with the information that users are presented about how their data may be processed, which it described as “too generic”.

In a statement, the authority said the TCF also lacks conformity with the GDPR’s principles of data protection by design and by default. It said there are deficiencies over “the effective exercise of data subject rights” and the monitoring of “the validity and integrity of the users’ choices”, while further failings were identified in relation to record keeping and the lack of both a data protection impact assessment having been conducted and a data protection officer appointed.

The Belgian authority (APD) has given IAB Europe two months to present an action plan to it that would remedy the issues with the TCF identified. It said IAB Europe was responsible for the failings because it considered it to be acting as a data controller, for the purposes of the GDPR. IAB Europe said it rejects that finding and may raise a legal challenge against it. However, the ad body said it was optimistic that the issues with the TCF can be remedied to enable the framework to operate as an approved GDPR code of conduct in future.

IAB Europe said: “We note that the decision contains no prohibition of the Transparency & Consent Framework (TCF), as had been requested by the complainants, and that the APD considers the purported infringements by IAB Europe that it has identified to be susceptible of being remedied in six months.”

“We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge,” it said.

“Notwithstanding our grave reservations on the substance of the decision, we look forward to working with the APD on an action plan to be executed within the prescribed six months that will ensure the TCF’s continuing utility in the market. As previously communicated, it has always been our intention to submit the Framework for approval as a GDPR transnational code of conduct. Today’s decision would appear to clear the way for work on that to begin,” the body said.

Both the EU and UK GDPRs provide for the endorsement of industry-drafted codes of conduct that are "intended to contribute to the proper application" of the law.