By: Heidi Waem and Verena Grentzenberg
On 2 February 2022, the Belgian Data Protection Authority (Belgian DPA) rendered its long-awaited decision against IAB Europe with regard to the IAB Transparency and Consent Framework (TCF).
In this blogpost we will discuss:
- The procedure
- TCF, RTB and the TC String
- The findings of the Inspection Service
- The findings of the Litigation Chamber
- The sanctions
- The implications for users of the TCF
In the meantime, IAB Europe has published a number of FAQs which are available here.
The case was initiated following nine identical or similar complaints, four of which were directly filed with the Belgian DPA and five through the EU IMI system. In addition, the Belgian DPA’s Inspection Service (the body within the DPA which investigates potential violations of the GDPR) also carried out inspections on its own behalf.
The Belgian DPA handled this case as lead supervisory authority drawing its jurisdiction from a combined reading of articles 56 and 4(23)b GDPR.
The following supervisory authorities acted as concerned supervisory authorities (CSAs): the Netherlands, Latvia, Italy, Sweden, Slovenia, Norway, Hungary, Poland, Portugal, Denmark, France, Finland, Greece, Spain, Luxembourg, Czech Republic, Austria, Croatia, Cyprus and 8 out of 16 German authorities competent for the private sector (Berlin, Rhineland-Palatinate, North Rhine-Westphalia, Saarland, Lower Saxony, Brandenburg, Mecklenburg-Western Pomerania, Bavaria).
As foreseen under article 60.3 GDPR, the Belgian DPA submitted its draft decision to the CSAs. Both the Dutch and Portuguese data protection authorities submitted relevant and reasonable objections. Furthermore, comments were made by other CSAs. The decision does however not specify which ones.
A revised draft decision was submitted to the CSAs as foreseen under article 60.5 GDPR.
As this decision was taken on the basis of the cooperation procedure, this means that the Belgian DPA and the CSAs are in agreement on the decision and are bound by it. However, with respect to the actors involved in the TCF and OpenRTB, the decision is only binding on IAB Europe. It is not binding on or opposable to for example publishers or advertisers.
IAB Europe has 30 days from the date of notification of the decision to file an appeal with the Belgian Market Court, i.e. until the 3rd of March 2022. In the meantime, IAB Europe has confirmed that it will appeal the decision.
Transparency and Consent Framework / Real Time Bidding / TC String
The TCF has been developed by IAB Europe and provides an operational framework to ensure GDPR compliance of data processing operation taking place in particular in the context of the OpenRTB protocol which was created by IAB Tech Lab and IAB (both not involved in the proceedings before the Belgian DPA) for the auctioning of online advertising space by means of the so-called Real-Time Bidding (RTB). However, the application of the TCF is broader than processing in the context of the OpenRTB protocol and also includes audience measurement and performance measurement.
The main players within the TCF are:
- the publishers: parties making advertising space available on their website or in their application;
- the adtech vendors: companies engaged in filling advertising spaces on publisher websites such as advertisers, sell-side platforms, demand-side platforms, ad exchanges and data management platforms; and
- the CMPs: companies offering consent management platforms or CMP solutions, i.e. pop-ups to collect the users’ consent to the placement of cookies.
When using a CMP, a so-called TC String is generated (Transparency and Consent String). This TC String is a combination of letters, numbers and other characters which captures in a structured and automated way the preferences of a user (in particular consent or no consent) when s/he visits a website or app of a publisher that has integrated a CMP. The TC String allows the relevant vendors to analyse the preferences of the user to see whether there is a legal basis to process the personal data of the user for the relevant marketing purposes.
The case at hand mainly concerns the TC String and related processing as the TC String is at the heart of the TCF managed by IAB Europe, which is the main subject of the proceeding (as opposed to the OpenRTB protocol, which is not managed by IAB Europe) .
The findings of the Inspection Service
The findings of the Inspection Service can be summarized as follows:
- IAB Europe acts as a data controller in respect of the TCF and the personal data processing operations relating thereto.
- IAB Europe wrongly uses legitimate interest as a basis for processing personal data under the TCF, where special categories of data may also be processed in certain cases (breach of articles 5.1.a, 5.2, 6.1, 9.1 and 9.2 GDPR).
- The information provided does not comply with articles 12.1, 13 and 14 GDPR.
- IAB Europe does not foresee any participant compliance control under the TCF policy rules (breach of articles 24.1, 32.1 and 32.2 GDPR).
- IAB Europe failed to keep a register of processing activities (breach of article 30 GDPR).
- IAB Europe did not cooperate sufficiently with the investigation by the Inspection Service (breach of article 31 GDPR).
- IAB Europe failed to appoint a DPO although as Managing Organisation it reserves the right to access the (personal) data that organisations participating in the TCF collect and process (breach of article 37 GDPR).
Under Belgian law, the Litigation Chamber – the body within the Belgian DPA that is competent to impose sanctions – is not bound by the findings of the Inspection Service. However, as will be explained in the next section, the Litigation Chamber withholds almost all the infringements identified by the Inspection Service. Among the limited number of accusations not confirmed is the – quite common – claim that the TC String involves the processing of special categories (like health data or data on religious beliefs). According to the Litigation Chamber no such special categories of personal data are included in the TC String as it is not possible to link the technical information in the TC String to the contents of a website. This finding is very valuable, as several authorities and in particular consumer associations have vehemently advocated the opposite position.
The findings of the Litigation Chamber
Before assessing any potential infringements of the GDPR, the Litigation Chamber first assesses whether the TCF involves the processing of personal data and the responsibility of IAB Europe in this respect.
Processing of personal data within TCF?
The complainants and IAB Europe have opposing views on whether the TC String constitutes personal data. The complainants argued that it does constitute personal data, while IAB Europe argued that it does not.
The Litigation Chamber finds that even though “it is not conclusively established that the TC String, due to the limited metadata and values it contains, in itself allows for direct identification of the user, once the consent pop-up is accessed by the script from a server managed by the CMP, it inevitably also processes the user’s IP address, which is expressly classified as personal data under the GDPR”. Therefore, the possibility of combining the TC String with the IP address means that it is information about an identifiable user.
Furthermore, the Litigation Chamber notes that, if the purpose of the processing is the singling out of persons – which according to the Litigation Chamber is the case as the TC String’s purpose is to capture the preferences of a specific user , it may be assumed that the controller or another party has or will have at its disposal the means by which a data subject may reasonably be expected to be identified. To claim that individuals are not identifiable, when the purpose is precisely to identify them, would be a contradictio in terminis.
As to whether the TC String is processed, the Litigation Chamber finds that it is indeed processed based on the understanding that “the TCF inherently entails the collection, processing, storage and subsequent sharing of user’s preferences with other parties, whether or not in combination with additional personal data in the context of the OpenRTB”.
Responsibility of IAB Europe for the processing operations within the TCF.
The Litigation Chamber does not follow IAB Europe’s reasoning that it is neither a data controller nor jointly responsible for the processing of personal data collected by the participating organisations in the context of the TCF. According to the Litigation Chamber, IAB Europe has a decisive influence on the purposes and the means of the processing by imposing compulsory TCF parameters.
- Determination by IAB Europe of the purpose of the processing
While the Litigation Chamber concurs with the statement by the Inspection Service that “the TCF does not in itself constitute processing of personal data, but is a set of policy documents and technical specifications developed by IAB Europe and IAB Tech Lab”, it considers IAB Europe to determine the purpose of the processing based on the following considerations:
- User preferences – which CMPs record via a user interface and store using the TC string and which constitute personal data – are processed in the context of the TCF.
- The objectives for which the user preferences are processed (i.e. enabling website publishers, app publishers and their advertising technology partners to obtain consent, transparently disclosing processing purposes and establishing a valid legal basis in order to provide digital advertising) are reflected in the IAB Europe TCF Policies.
- It follows from documentation drawn up by IAB Europe, where the purpose of the TC String is described, that IAB Europe determines the purpose of the TC String.
- The TCF Policies stipulate a mandatory list of purposes.
- Determination by IAB Europe of the means of the processing
In addition, the Litigation Chamber finds that IAB Europe determines the means of generating, storing and sharing the TC String based on the following decisive elements:
- IAB Europe defines how CMPs can collect consent or objections from users, generate a unique TC String, and store the value of the TC String.
- IAB Europe, in collaboration with IAB Tech Lab, has developed the technical specifications of the API (i.e. the application interface) with which adtech vendors, among others, can access the preferences of the users, which are managed by the CMP, in a standardised way.
- IAB Europe determines the storage location and method for both service-specific and globally scoped consent cookies (note by the authors: IAB Europe announced the deprecation of global scope support on June 22nd 2021).
- IAB Europe manages the list of registered CMPs and adtech vendors and therefore determines by respectively with which possible recipients the data relating to the TC String is communicated.
- IAB Europe determines the criteria by which the retention periods for TC Strings may be established and the way in which organisations participating in the TCF must make these TC Strings available to IAB Europe (note by the authors: IAB Europe does not access TC Strings but arguably could).
Having concluded that IAB Europe determines the purposes and the means of the processing of the TC String, the Litigation Chamber further considers the role of the other actors in the adtech space (i.e. publishers, CMPs and adtech vendors).
The Litigation Chamber finds that all parties should be considered joint controllers based on a convergence of decisions by IAB Europe on the one hand and the participating organisations on the other hand. IAB Europe provides an ecosystem within which the consent, objections and preferences of the users are collected and exchanged not for its own purposes but to facilitate further processing by the publishers and adtech vendors. However, the reasoning of the Litigation Chamber on why certain ways of implementation of the TCF may or may not lead to joint control are not anything but clear and not very compelling.
The finding of the Litigation Chamber on the controllership of IAB Europe raises important questions with regard to the role of standard setting organisations. When setting a standard, it is obvious that decisions are made by the standard setting organisation and that there is not much leeway for companies using the standard to deviate from it. However, qualifying them a controller may be a step too far. It seems that the tipping point for the Litigation Chamber is that, in addition to setting standards, IAB Europe also operates the domain “consensu.org” which in the context of globally scoped cookies in exceptional cases allowed for the storing of the TC String in a shared globally scoped consent cookie in the past. This, however, raises questions as IAB Europe seems to not offer this any longer and it seems doubtful to qualify IAB Europe as (joint) controller for the entire TCF on the basis of past behaviour.
Infringements of the GDPR
IAB Europe is considered to have committed a number of infringements of the GDPR. As IAB Europe’s position is that they are not processing personal data and thus not a controller, the finding by the Litigation Chamber that they are a controller inevitably led to the finding that they infringed the GDPR. It is logical that when an organisation does not qualify itself as controller under the GDPR, it has not taken steps to comply with the GDPR.
In particular, the Litigation Chamber found that IAB Europe has breached the following articles:
- Breach of articles 5.1a and 6 GDPR (lawfulness and fairness of the processing) as the current TCF does not provide a legal basis for the processing of user preferences in the form of a TC String.
While one would expect that the Litigation Chamber would analyse to what extent IAB Europe fails to comply with the relevant requirements, it rather seems to consider a lack of legal basis on the part of the CMPs:
- “The Litigation Chamber finds that users are not informed anywhere of the lawful basis for the processing of their own, individual preferences in relation to purposes and permitted adtech vendors by CMPs.”
- “Neither the TCF Policies nor the TCF Implementation Guidelines mention an obligation on the part of the CMPs to obtain the unambiguous consent of users before capturing their preferences in a TC String, which is placed on the end devices of users thanks to a euconsent-v2 cookie.”
However, if IAB Europe is a controller then it should provide for a legal basis for the relevant processing. This is not altered by the fact that IAB Europe is considered a joint controller with the other involved actors. In case of joint controllership, each joint controller must provide for a legal basis for its (joint) processing. It is not clear how IAB Europe can be considered responsible for the fact that users are not duly informed of the processing by CMPs or why IAB Europe should be obliged to impose an obligation on CMPs to ask for consent (in particular, as the Litigation Chamber in its decision explains that legitimate interests could be the appropriate legal basis for the processing of the TC String). A possible interpretation could be that the Litigation Chamber deems it impossible for IAB Europe to procure consent itself as it is not in contact with the data subjects and that it must delegate this task to the CMPs. However, this is not clear from the decision and is something that should in principle be addressed in a joint controllership arrangement.
With regard to the lack of legal basis, the Litigation Chamber has also considered “the legal grounds proposed and implemented by the TCF” (i.e. consent and legitimate interest) for the processing by other actors, thereby emphasising that these two legal bases relate to the processing taking place under the OpenRTB. It concludes that the TCF offers two legal bases for the processing of personal data by TCF participants (consent and legitimate interest) but that under the current setup none of them can be used.
While one can see why the Litigation Chamber wishes to express its view on the processing in the context of the OpenRTB, it is nevertheless peculiar that they have assessed this in the context of the proceedings against IAB Europe for the following reasons. IAB Europe is not the controller for the processing in the context of the OpenRTB, no other TCF participants were involved in the case, and the decision as such is not opposable to third parties. Moreover, earlier in the decision, with regard to the responsibility, the Litigation Chamber excluded from the scope the processing operations taking place in the context of the OpenRTB.
- Breach of articles 12, 13 and 14 (transparency) as (i) IAB Europe fails to inform data subjects about the fact that it might claim the “records of consent” from the CMPs and (ii) the manner in which information is provided, as laid down by IAB Europe, does not comply with the requirement of a “transparent, comprehensible and easily accessible form”. The Litigation Chamber also notes that some of the stated processing purposes are too generic.
- Breach of articles 24, 25, 5.1f and 32 GDPR (accountability, data protection by design and default, integrity and confidentiality, security of processing) for failure to ensure the security of the processing. Given the very large number of TC Strings generated each day within the TCF, the Litigation Chamber finds it essential that all the rules governing participation in the TCF are observed and complied with by all the involved parties. IAB Europe offers the TCF to make OpenRTB compliant with the GDPR. Consequently, IAB Europe, as managing organisation for the TCF and jointly responsible for the processing carried out within that framework should take technical and organisational measures to ensure that participants at least comply with the TCF policies.
Based on an article of some legal scholars and a prohibition under the TCF Policies for vendors to generate signals themselves, the Litigation Chamber states that there are insufficient measures in place under the TCF to guarantee the integrity of the consent signal and to ensure that a vendor has actually received them (as opposed to having generated them itself). Furthermore, the Litigation Chamber finds that the TCF Vendor Compliance Programme is not robust enough to ensure an appropriate level of security.
It should be important for IAB to find an answer to this accusation, because the alleged lack of control functions is an aspect that is also held against publishers in particular in disputes with authorities or civil disputes.
In the context of the assessment of the security of the TCF, the Litigation Chamber also touches upon potential transfers outside of the EEA and states that it “acknowledges, in view of the scope of the TCF – which involves a large number of participating organisations – that it is evident that personal data captured in the TC Strings will be transferred outside the EEA at some point by the CMPs, and that the defendant is acting as a data controller in this regard. However, the Litigation Chamber notes that the Inspection Service did not include an assessment of a concrete international transfer in its report. For this reason, the Litigation Chamber concludes that there is an infringement of the GDPR, but in view of the lacking evidence of a systematic international transfer, as well as the scope and nature thereof, the Litigation Chamber finds it is not in a position to sanction the defendant for a violation of articles 44 to 49 GDPR.”
This reasoning of the Litigation Chamber is highly questionable. It is difficult to see how it can conclude that chapter V GDPR has been infringed where it has not assessed any transfer.
The Litigation Chamber continues by stating that international transfers in the context of the TCF “must be assessed primarily by the publishers and the CMPs implementing the TCF” and that IAB Europe “should facilitate the due diligence incumbent on the publishers and CMPs, e.g. by requiring adtech vendors to indicate clearly whether they are located outside the EEA or whether they intend to transfer personal data outside the EEA through their data processors.”
- Breach of article 30 GDPR (record of processing activities) for failure to keep a record of the relevant processing activities, thereby confirming the non-incidental nature of the processing.
- Breach of article 35 GDPR (data protection impact assessment) for failure to perform a data protection impact assessment.
- Breach of article 37 GDPR (data protection officer) for failure to appoint a data protection officer.
The Litigation Chamber orders IAB Europe to remedy the identified shortcomings within a maximum of six months following the validation of an action plan by the Litigation Chamber, to be submitted within 2 months after this decision. The order is subject to a penalty payment of 5,000 EUR / day that IAB Europe will fail to comply with the order.
In addition, IAB Europe must pay an administrative fine of 250,000 EUR. For the calculation of the fine, the Litigation Chamber only took into account turnover of IAB Europe, not of IAB or IAB Tech Lab.
Implications for users of the IAB Transparency and Consent Framework
As indicated above, the decision is not binding upon nor directly opposable to third parties. Under Belgian law, it only has the force of res judicata (“gezag van gewijsde”/“autorité de la chose jugée”) between the parties and for the same subject-matter.
However, the fact that the decision has been taken in the context of the cooperation proceedings means that it is binding on the involved data protection authorities. Consequently, if these authorities were to decide on a case involving the TCF and OpenRTB, it is to be expected that they will decide in line with the findings of the decision from the Belgian Data Protection Authority.
Furthermore, it follows from the decision that, at least certain aspects, of the TCF and OpenRTB are considered to be incompliant with GDPR. However, given the fact that the Litigation Chamber has given IAB Europe a certain period of time to remedy the shortcomings, it could be argued that this can be considered a grace period.
In particular, participants who are already facing regulators and consumer protection agencies which challenge the TCF (like for example publishers in Germany), might want to consider implementing certain requirements which seem to be key aspects for the Belgian Data Protection Authority prior to any potential grace period, in order to improve their defence position. Below, a list of general recommendations in this respect.
- basing any advertising related purposes and RTB (in opposition to audience or performance measurement) solely on consent instead of legitimate interests;
- providing information on the purpose of the processing of the TC String and the applicable legal basis (i.e. legitimate interests), including information on the outcome of the balancing test (although this is not in line with the TCF policies, which conclusively determine the purposes, we do not expect opposition of the IAB Europe for an individual amendment before the IAB Europe has addressed this issue;
- reducing the numbers of integrated adtech vendors for whose processing activities consent is sought;
- identifying the purposes pursued by the different adtech vendors per vendor;
- ensuring that users can easily re-enter the CMP (i.e. with one click) from every page of the website or app; and
- (as a publisher:) implementing the (new) standard-contractual clauses with every adtech vendor located in the USA, supported by supplementary measures where necessary.
Finally, the finding that all actors in the TCF/RTB eco-system are to be considered joint controllers, means that eventually a joint controllership agreement will need to be put in place. This, however, is something that for the entire ecosystem typically only a standard-setting institution like IAB Europe can provide for.