Online ad industry body IAB Europe has tried to play down an imminent ruling that its adtech system – used by Google and thousands of others as the “official” framework – is in breach of GDPR, despite privacy campaigners hailing the move as a major victory.
The Belgian data protection authority – The Autorité de la Protection des Donnés (APD) – first launched a probe into IAB Europe’s Transparency & Consent Framework two years ago, following 22 complaints about the system, including one from the Irish Council for Civil Liberties (ICCL).
Last October, the regulator – which is the EU lead enforcer for e-privacy – published a preliminary report that stated it had found serious GDPR infringements by the trade body.
The complaint then moved to the litigation arm of the regulator, which has been considering the case for the past 13 months. But, according to IAB Europe, the authority is now finalising a draft ruling, that both the framework and IAB Europe are in breach of GDPR.
However, in a move that proves the snail like pace of GDPR enforcement, the ruling will also have to be approved by other EU data protection regulators, meaning it may not emerge until way into the new year.
According to IAB Europe, “the purported infringements are a consequence of the (Belgian regulator’s) particular interpretation of the GDPR”.
It added: “The draft ruling will apparently identify infringements of GDPR by IAB Europe, but it will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling, in a process that would involve the (regulator) overseeing the execution of an agreed action plan by IAB Europe.”
At the heart of the matter is the finding that IAB Europe is a data controller for TCF, the digital signals created on websites to capture consumers’ choices about the processing of their personal data for digital advertising, content and measurement. The regulator is understood to consider these signals to be personal data. It is also expected to find IAB Europe to be a joint controller for TCF in the specific context of open real-time bidding.
But IAB Europe claims it has never considered itself to be a data controller within TCF, adding that this is why it has not fulfilled certain obligations for data controllers under GDPR. The draft ruling will require IAB Europe to work with the Belgians to ensure that these obligations are met going forward.
It added: “We stand ready to work with the (regulator) and other data protection authorities to support companies in the digital advertising industry to ensure that they fully comply with the requirements of EU law.”
However, the dye seems cast and The Irish Council for Civil Liberties’ has hailed the looming decision as a major victory.
ICCL senior fellow Johnny Ryan, a long-term crusader against the adtech industry, said: “We have won. The online advertising industry and its trade body, IAB Europe, have been found to have deprived hundreds of millions of Europeans of their fundamental rights.
“IAB Europe designed the misleading ‘consent’ pop-ups that feature on almost all (80%+) European websites and apps. These pop-ups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click.
“Google and the entire tracking industry relies on IAB Europe’s consent system, which will now be found to be illegal. IAB Europe created a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach in at the heart of online advertising. We hope the decision of the Belgian authority will finally force the online advertising industry to reform.”
The Autorité de la Protection des Donnés has yet to comment on the looming ruling.
Targeted ads use ‘illegal surveillance’, lawmakers told
War on ‘illegal’ adtech RTB heads to the German courts
‘Super-regulator’ puts TikTok, AI and adtech on notice
ICO gunning for data brokers as adtech probe resumes
DMA wades into ICO row over axed adtech investigation
Belgians rule IAB’s adtech system is in breach of GDPR
Adtech breach widens, two years after first complaints
$273bn behavioural ad industry ‘is in breach of GDPR’