A leading system used to obtain Internet users’ agreement for receiving targeted behavioral advertising – developed by the industry group IAB Europe – does not satisfy the necessary legal requirements for data protection, as determined by the EU’s data protection authority.

The investigation by the Belgian DPA was prompted by concerns regarding the utilization of personal data within the real-time bidding (RTB) aspect of programmatic advertising, with claims that the rapid exchange of personal data is fundamentally at odds with the data security provisions outlined in EU legislation.

The IAB Europe’s Transparency and Consent Framework (TCF) is frequently encountered across the web in the region, requesting users to approve (or decline) the use of ad trackers – with the intention of assisting publishers in adhering to the EU’s data protection regulations.

This industry standard was a response to a significant revision of the bloc’s data protection rules following the implementation of the General Data Protection Regulation (GDPR) in May 2018 – which strengthened requirements for consent to process personal data and introduced substantially increased penalties for non-compliance – consequently raising the legal risks for the ad tracking sector.

IAB Europe launched the TCF in April 2018, stating at the time that it would “assist the digital advertising ecosystem in fulfilling obligations under the GDPR and ePrivacy Directive”.

The framework has seen widespread implementation, including integration by major adtech company, Google – which adopted it in August of this year.

Outside of Europe, the IAB has also recently been advocating for a similar tool to be employed for ‘compliance’ with California’s Consumer Privacy Act.

However, the conclusions of the investigatory branch of the Belgian data protection agency raise questions about this widespread adoption – suggesting the framework may not be suitable for its intended purpose.

The inspection service of the Belgium DPA presents several findings in a report examined by TechCrunch – including that the TCF does not adhere to GDPR principles of transparency, fairness, and accountability, and also fails to meet the requirements for lawful processing.

It also notes that the TCF lacks sufficient regulations for handling sensitive data categories (such as health information, political views, or sexual orientation) – despite actually processing such data.

Further unfavorable findings for IAB Europe include the absence of a designated Data Protection Officer and a record of its own internal data processing operations.

Its own privacy policy was also deemed inadequate.

We contacted IAB Europe for a response to the inspectorate’s findings. Update: See the end of this article for an initial response. Update 2: The ad standards organization has now released a statement here, characterizing the TCF as a “voluntary standard” containing “a minimal set of best practices”. It also states it “respectfully disagree[s] with the [Belgian DPA]’s apparent interpretation of the law, pursuant to which IAB Europe is a data controller in the context of publishers’ implementation of the TCF”, and adds: “If upheld, the [Belgian DPA]’s interpretation would have a detrimental effect on the development of open-source compliance standards that serve to support industry participants and protect consumers.”

A series of complaints concerning RTB have been submitted across Europe over the past two years, beginning in the UK and Ireland.

Dr. Johnny Ryan, who initially filed the RTB complaints – and currently serves as a senior fellow at the Irish Council for Civil Liberties – explained to TechCrunch: “The TCF was an attempt by the tracking industry to create a facade of legality over the substantial data breach inherent in behavioral advertising and tracking, and the Belgian DPA is now dismantling that facade and revealing the illegality.”

Ryan has previously characterized the RTB issues as “the largest data breach ever recorded”.

Last month, he released another detailed report outlining the extent and severity of personal data leaks through RTB – including findings that a data broker utilized RTB to profile individuals with the intention of influencing the 2019 Polish Parliamentary Election by targeting LGBTQ+ individuals. Another data broker was discovered to be profiling and targeting Internet users in Ireland based on categories such as “Substance abuse”, “Diabetes,” “Chronic Pain,” and “Sleep Disorders”.

In a statement, Ravi Naik, the solicitor involved in the original RTB complaints, commented on the Belgian inspectorate’s findings: “These findings are serious and long overdue. As the standard setters, the IAB is accountable for breaches of the GDPR. Their supervisory authority has correctly determined that the IAB ‘neglects’ the risks to data subjects. The IAB’s responsibility now is to halt these breaches.”

Following the submission of RTB complaints, the UK’s data protection authority, the ICO, issued a warning regarding behavioral advertising in June 2019 – urging the industry to recognize the need for compliance with data protection standards.

However, the regulator has not followed up with any enforcement measures – aside from several mildly worded blog posts. Most recently, it suspended its (ongoing) investigation into the matter due to the pandemic.

In a separate development last year, Ireland’s DPC initiated an investigation into Google’s online Ad Exchange – examining the legal justification for its processing of personal data. However, this investigation is one of many that remain open on its agenda. And the Irish regulator continues to face criticism regarding the time it takes to issue decisions on significant cross-border GDPR cases involving major technology companies.

Jef Ausloos, a postdoctoral researcher in data privacy at the University of Amsterdam – and one of the complainants in the Belgian case – told TechCrunch that the DPA’s action puts pressure on other EU regulators to act, criticizing what he described as “their complete, deer-in-the-headlights inaction”.

“I anticipate we will see more of this in the coming months/year, meaning other DPAs, frustrated with the lack of progress, will take matters into their own hands – rather than waiting on the Irish,” he added.

“We are pleased to finally see a data protection authority willing to confront the online advertising industry at its core. This could be the first significant step towards dismantling surveillance capitalism,” Ausloos also stated.

Several steps remain before the Belgian DPA takes action based on its inspectorate’s report – with a number of procedures still outstanding in the regulatory process. We contacted the Belgian DPA for comment. Update: See below.

However, according to the complainants, the inspectorate’s findings have been forwarded to the Litigation Chamber, and a decision is anticipated in early 2021. This suggests that privacy advocates in the EU may soon have the opportunity to enforce their rights against the ad tracking industry/data industrial complex.

For publishers, this highlights the need to change how they generate revenue from their content: Privacy-respecting alternatives to intrusive ads are available (such as contextual ad targeting, which does not utilize personal data). Some publishers have already experienced positive revenue results from switching to contextual ads. Subscription-based business models are also an option (although not all venture capitalists favor them).

https://twitter.com/robinberjon/status/1317104224443027461

Update I: In response to inquiries about the next steps and the expected timeline for reaching a decision, a spokesperson for the Belgian DPA informed us: “Regarding procedure, now that the report of the Investigation Service has been transferred to the Litigation Chamber of the BE DPA, the Litigation Chamber will examine the case on its merits.”

“At this time, we prefer not to provide an estimated timeframe for when the Litigation Chamber will reach a decision in this case,” she added.

Update II: When asked for her response to the report, the IAB Europe’s CEO, Townsend Feehan, told us the ad standards body would be issuing a statement shortly. She also expressed objection to the headline of this report, stating: “I find your headline to be misleading. It is simply factually incorrect.”

When questioned about what was factually incorrect, she objected to the phrasing ‘found to fail GDPR standard’ – explaining that it “strongly implies a ruling by an authority”.

After we clarified that our reporting indicates the procedure is ongoing – including an explanation and a quotation from the Belgian DPA to that effect – she said: “The point I would like to make is that I find your headline to be misleading and I believe it would be a more accurate representation of the truth if the headline could convey that a preliminary investigation finds [the TCF fails the GDPR standard].”

Regarding special category data, she also asserted: “You cannot use the TCF to process special category data.”

“I don’t want to go through the whole report with you but you published a headline that gives the market the impression that the TCF has been found by a DPA to breach the GDPR and that is not the case,” she also stated, adding: “We will have a further statement on the way probably in the next couple of hours.”

Update III: The full IAB Europe’s statement regarding the findings of the Belgian DPA’s investigation is now available on its website, where it states: “The APD’s report represents the preliminary views of the APD’s investigations unit and has no binding effect with regard to any breach of the law by IAB Europe.”