Privacy campaigners have claimed a major victory in their war against the adtech industry’s “abuse” of consumers’ data rights, following an investigation by the Belgian data protection authority which has found serious GDPR infringements by trade body IAB Europe.
The Autorité de la Protection des Donnés (APD), which is the EU lead enforcer for e-privacy, launched a probe into IAB Europe’s Transparency & Consent Framework following 22 complaints about the system, including one from the Irish Council for Civil Liberties (ICCL).
In its ruling, the regulator has found that the IAB Framework, which is used widely across the EU to gain consent for the use of realtime bidding (RTB) which supports online ads, allows companies to swap sensitive information about people even when this has not been authorised.
The ruling states: “IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects. The [Framework] does not provide adequate rules for the processing of special categories of personal data. However, the OpenRTB standard, framed by the IAB Europe’s [system], does allow the processing of special categories of personal data.”
The report states: “The information provided is incomplete, insufficient and therefore does not comply with the obligations laid down in Article 13 and 15 of GDPR.”
IAB Europe has also been been found wanting in other areas, including the fact it had no data protection officer, and did not maintain a registry of what it does with personal data; nor did it have clearly defined controller/processor relationships with its own service providers.
The APD Inspectorate Service has now forwarded its findings to the APD Litigation Chamber, and submissions from both the complainants and IAB Europe will be heard. After that, a decision will be made on any enforcement action early in the new year.
ICCL fellow Johnny Ryan, a long-term crusader against the adtech industry, said: “The IAB Framework is used by Google and others to paint a thin legal veneer over the vast data breach at the heart of the behavioural advertising system. Now, the APD is peeling this veneer off.”
Perhaps unsurprisingly, IAB Europe contests the findings of the investigation. In a statement, the trade body said: “We find it regrettable that a standard whose requirements reflect an interpretation of the law that errs on the side of consumer protection and aligns with multiple data protection authority (DPA) guidance materials across the EU (CNIL, DPC, ICO, etc), should be the focus of an enforcement action, rather than an opportunity for a constructive, good-faith dialogue on how the framework can be improved in ways that better align with the APD’s vision and with consumer and industry needs.
“Over the past three years we have had the chance to present the framework to a number of European DPAs, whose feedback we reflected in important changes in version 2 of the Framework, rolled out earlier this year.
“We will be fully engaging with the APD over the coming months as its services conduct evaluations on the merits of the report. We will also continue to work with regulators and seek their guidance on how the framework can promote compliance with both the GDPR and the ePrivacy Directive.”
Earlier this year, the ICO slammed the brakes on its own investigation into adtech, insisting it did not want to put the industry under “undue pressure” during the Covid-19 pandemic; the move was roundly condemned.
Adtech breach widens, two years after first complaints
Group seeks €10bn pay-out over adtech GDPR breach
Privacy groups hit out at fresh delay to adtech probe
ICO strikes back at claims it has shut down all cases
‘Chicken’ ICO kicks adtech investigation into long grass
ICO ‘cosies up’ to industry in bid to tackle adtech issue
ICO urged to act now on adtech or be seen as soft touch
IAB in dock over sector’s ‘systemic’ breaches of GDPR
$273bn behavioural ad industry ‘is in breach of GDPR’