The Belgian data protection authority has finally delivered its damning verdict on IAB Europe’s adtech system – used by Google and thousands of others as the “official” framework – ruling that it breaches GDPR and fining the organisation €250,000 (£207,000) to boot.
The decision has been a long time coming. The regulator – The Autorité de la Protection des Donnés (APD) – had first launched a probe into IAB Europe’s Transparency & Consent Framework in 2019, following 22 complaints about the system, including one from the Irish Council for Civil Liberties (ICCL).
In the ruling published this week the APD has ordered the organisation to come up with measures to bring the framework into compliance with the GDPR within two months, while adtech firms including Google, Amazon and Microsoft have been ordered must delete data gathered through the system.
The OpenRTB real-time bidding system used by advertisers, which is closely entwined with the framework, will also be affected by the ruling.
IAB Europe has long argued that the pop-ups enable users to make informed choices about what happens to their data and are compliant with GDPR. The organisation also insists it is not a ‘data controller’ under GDPR with respect to processing user consent.
However, the Belgians have disagreed on both counts. The regulator found the system is not sufficiently transparent in allowing users to make an informed decision, and that the activities of IAB Europe make it a data controller, and thus responsible for safeguarding the personal data.
Hielke Hijmans, chairman of the Litigation Chamber of the APD, said: “The processing of personal data (e.g. capturing user preferences) under the current version of the framework is incompatible with the GDPR, due to an inherent breach of the principle of fairness and lawfulness.
“People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day in order to expose them to personalised ads.”
The ICCL claims says 80% of websites in Europe use the framework to manage user consent. ICCL fellow Dr Johnny Ryan said: “Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies.”
Meanwhile, Nigel Jones, co-founder of Privacy Compliance Hub and a former Google lawyer, added: “The framework was an attempt by the IAB to say the online ad industry complies with data protection law – this decision says it doesn’t, so, potentially, the foundations of a large part of that industry are crumbling.
“This will be worrying for online publishers, but the muddy pond that is the online advertising ecosystem may be about to get clearer.”
For its part, IAB Europe confirmed it is considering a legal challenge. A spokesman said: “We reject the finding that we are a data controller in the context of the framework. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.”
Last month, it emerged that IAB Europe was already working on a replacement framework, although it has already been claimed the new system simply cannot audit what happens to personal data after it has been broadcast to thousands of companies, hundreds of billions of times a day.
New IAB adtech framework ‘as flawed as the last one’
Big issues still to tackle in 2022: Online or off limits?
CMA action forces Google to delay demise of cookies
Privacy groups claim victory over looming adtech ruling
DMA wades into ICO row over axed adtech investigation
Privacy groups hit out at fresh delay to adtech probe
‘Chicken’ ICO kicks adtech investigation into long grass
Adtech breach widens, two years after first complaints