IAB Europe’s transparency and consent framework, a key pillar of how online advertising is conducted on the continent, breaches laws protecting people’s data privacy, a key European regulator has said.
The Belgian data protection authority, the APD-GBA, ruled on October 16 that the TCF, a set of guidelines on good practice for the collection and processing of data for the purpose of advertising targeting, violates the general data protection regulation.
The APD-GBA is the lead Internet Privacy Officer for the European Union, so its findings will be considered important. Each member state has a national data protection authority, just like the UK, which chose to adopt the GDPR into UK law after Brexit. But Belgium is the “lead supervisory authority” under the “one-stop-shop” mechanism of the GDPR.
Critics have criticized the TCF, released in March 2018 on the eve of GDPR enactment, for being inadequate in securing user consent in the way programmatic ads are served through real-time auctions.
Last year, IAB Europe launched a new version of the TCF, which it said would provide publishers with more transparency and control over how and why data was collected from users for advertising purposes.
Following complaints in 2018 from a series of privacy activists and academics, the Belgian regulator reported preliminary findings that the IAB framework allows advertisers to exchange sensitive information on people even when they have not been authorized to do so.
“IAB Europe’s approach demonstrates that it overlooks risks that would impact the rights and freedoms of data subjects,” the report said.
The IAB framework, the regulator added, fails to provide adequate controls for the processing of intimate personal data that occurs in real-time auctions, the auction-based system in which online advertisements are bought and sold in seconds. nanoseconds and disseminated to Internet users based on data held about them.
He added: “The TCF does not provide adequate rules for the processing of special categories of personal data. However, the OpenRTB standard, framed by the TCF of IAB Europe, allows the processing of special categories of personal data.
The APD-GBA’s inspection service has forwarded its findings to the APD-GBA’s litigation chamber, which will hear testimony from the complainants and the IAB. If there are enforcement actions, it should happen early next year.
Dr Johnny Ryan, senior researcher at the Irish Council for Civil Liberties and one of the plaintiffs, said Country“The IAB framework is being used by Google and others to paint a thin legal veneer on the vast data breach at the heart of the behavioral advertising system. Now the APD-GBA is removing that veneer.
Ryan, who filed the complaint while working for track-blocking internet browser Brave, has always maintained that it is impossible to seek GDPR-compliant consent for real-time auctions because the process discloses what people read, listen and watch an unknown number of companies.
The ICO seemed to agree, after launching an investigation into the RTB and warning that a world of “perverse incentives” had been created in which intrusion was rewarded with better prices for online advertising.
However, the ICO suspended the investigation last May because it did not want to subject the online advertising industry to “undue pressure” amid the economic impact of the coronavirus pandemic.
In a statement reacting to the APD-GBA report, IAB Europe said it disagreed with the authority’s interpretation of the law and that the TCF was drafted after consultation with regulators across the continent. .
He said: “We find it regrettable that a standard whose requirements reflect an interpretation of the law that errs on the side of consumer protection and aligns with several DPA guidance documents across the EU (CNIL, DPC, ICO, etc.), should be the focus of an enforcement action, rather than an opportunity for constructive, good-faith dialogue about how the TCF can be improved to better serve align with ODA’s vision and consumer and industry needs.
“Over the past three years, we have had the good fortune to present the TCF to a number of European data protection authorities, whose feedback we have reflected in significant changes to V2 of the framework, which was rolled out earlier. This year. We will be collaborating fully with the APD over the coming months as its services carry out assessments on the merits of the report. We will also continue to work with regulators and seek their advice on how the TCF can promote compliance with both GDPR and the ePrivacy Directive. »