The Belgian Data Protection Authority (DPA) has fined the Interactive Advertising Bureau Europe (IAB Europe) 250,000 euros for failing to comply with a number of provisions of the European Union’s General Data Protection Regulation (GDPR). IAB Europe is a federation representing the digital advertisement and marketing industry in Europe.
The decision comes after a series of complaints were filed against IAB Europe in 2019, for allegedly breaching the GDPR in relation to the large-scale processing of personal data. The complaints related to IAB Europe’s Transparency & Consent Framework (TCF) in the context of Real-Time Bidding (RTB), the automated practice of buying and selling advertising space on websites through real-time auctions.
This decision will be of particular interest to New Zealand businesses that handle the personal information of anyone living in the EU, or target their goods and services at individuals in the EU. It also offers a timely reminder on compliance with New Zealand’s own privacy rules for those dealing with the collection of personal information in the advertising technology space locally.
How does the Transparency & Consent Framework, and Real-Time Bidding work?
RTB auctions occur in the time it takes a webpage to load, and result in targeted advertising being displayed to website users. In order to display advertising specifically tailored to the website user, the user’s personal data (for instance, year of birth, gender, interests, or location) is communicated to advertisers during the bidding process.
TCF is an IAB Europe framework which facilitates the capture of a website user’s preferences (for example, whether a user has consented to the use of cookies or pop-ups), and is intended to promote compliance with the GDPR. It is “the expression of users’ preferences regarding potential vendors and various processing purposes, including the offering of tailor-made advertisement”.1 These preferences are stored in a ‘TC String’ which is shared with advertisers participating in the RTB process.
Outcome of the DPA investigation
First, the DPA had to consider whether IAB Europe was a ‘data controller’, as defined in the GDPR. A ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. It was held that in this context, ‘personal data’ included a TC String. IAB Europe asserted it wasn’t a data controller as the TCF does not require participating organisations to pursue certain objectives – rather, it argued, the TCF aims to provide information which must be provided to data subjects in accordance with the GDPR.
The DPA considered IAB Europe was a data controller because it imposed binding rules on participating organisations for the processing of personal data. IAB Europe was also found to “determine the means of generating, storing and sharing the TC String by which the preferences, objections and consent of users are processed.”
As a data controller, IAB Europe is subject to a number of responsibilities under the GDPR, for example, ensuring the security of personal data, carrying out a data protection impact assessment and appointing a data protection officer.
The DPA further held that, as a data controller, IAB Europe had breached a number of articles in the GDPR including:2
- Lawfulness: IAB Europe failed to establish a legal basis for the processing of the TC String.
- Transparency and information of the users: The information provided to website users was not offered in a ‘transparent, comprehensible and accessible manner’ as required. Users of webpages that participate in the TCF were not given sufficient information about the categories of personal data collected about them. The information provided to website users was deemed too general, invalidating any consent received for processing.
- Accountability, security and data protection by design/by default: The integrity of the TC String was not sufficiently ensured. While IAB Europe used a consent management system, it had not taken the “necessary steps to ensure the validity, integrity and compliance of users’ preferences and consent” – it was possible for consent to be falsified.
- Other obligations for controllers that process personal data on a large scale: IAB Europe failed to:
- maintain a record of processing activities;
- carry out a comprehensive data protection impact assessment; and
- appoint a data protection officer.
What does this mean for New Zealand businesses?
As well as the 250,000 euro fine issued by the DPA, the DPA ordered that IAB Europe immediately delete all personal data collected through the TCF. While the DPA’s ruling doesn’t prohibit the TCF (as requested by complainants), IAB Europe has been given two months to submit an action plan to bring its activities into compliance with the GDPR. This means that organisations which have implemented the TCF, and rely on it in order to comply with the GDPR, should prepare for changes to the framework in the upcoming months.
This ruling will be particularly important to note for New Zealand businesses that handle the personal information of anyone living in the EU, or target their goods and services at individuals in the EU, and have implemented the TCF. These businesses should prepare for upcoming changes.
While the DPA’s decision is unlikely to directly affect New Zealand businesses that operate solely in New Zealand, it also still serves as a timely reminder for New Zealand businesses dealing with the collection of personal information in the ‘adtech’ space. They should ensure they are doing so correctly under the Privacy Act 2020.
IAB Europe has confirmed it will appeal the DPA’s decision to the Belgian Market Court, asserting that it is not a data controller in the context of the TCF. IAB Europe have stated that the DPA’s ruling “will have the perverse effect of discouraging other standard-setting organisations from investing in instruments that aim to protect users and facilitate the exercise of their rights under the GDPR.”3
If you have any questions about the matters raised in this article, please get in touch with the contacts listed, or your usual Belly Gully adviser.
1 The BE DPA to restore order to the online advertising industry: IAB Europe held responsible for a mechanism that infringes the GDPR | Autorité de protection des données<br>Gegevensbeschermingsautoriteit (dataprotectionauthority.be)
3 IAB Europe to Appeal Belgian Data Protection Authority Ruling – IAB Europe