Omar Oakes
Oct 19, 2020

Influential Euro regulator rules online advertising in GDPR breach

Belgium's APD-GBA is the lead enforcer on internet privacy for the European Union, so its findings will be seen as significant across the Continent.

Influential Euro regulator rules online advertising in GDPR breach

IAB Europe’s Transparency & Consent Framework, a key pillar of how online advertising is conducted on the Continent, is in breach of laws protecting people’s data privacy, a key European regulator has ruled.

The Belgian data protection authority, the APD-GBA, ruled on 16 October that the TCF, a set of best-practice guidelines for collecting and processing data for ad targeting, is in breach of the General Data Protection Regulation.

The APD-GBA is the lead enforcer on internet privacy for the European Union, so its findings will be seen as significant. Each member state has a national data protection authority, as does the UK, which had chosen to adopt the GDPR into UK law after Brexit. But Belgium is the “lead supervisory authority” under the GDPR “one-stop-shop” mechanism.

Critics have blamed the TCF, released in March 2018 on the eve of GDPR being enacted, for being inadequate in ensuring user consent in the way programmatic ads are served via real-time bidding. 

Last year, IAB Europe launched a new version of the TCF, which it said would provide more transparency and control for publishers over how and why data was being collected by users for advertising purposes. 

Following complaints made in 2018 by a range of privacy campaigners and academics, the Belgian regulator reported preliminary findings that the IAB framework allows advertisers to swap sensitive information about people even when they have not been authorised to do so.

“IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects,” the report said. 

The IAB Framework, the regulator added, fails to provide adequate controls for the processing of intimate personal data that occurs in real-time bidding, the auction-based system in which online ads are bought and sold within nanoseconds and served to internet users based on data held about them.

It added: “The TCF does not provide adequate rules for the processing of special categories of personal data. However, the OpenRTB standard, framed by IAB Europe’s TCF, does allow the processing of special categories of personal data." 

The APD-GBA Inspectorate Service has forwarded its findings to the APD-GBA Litigation Chamber, which will hear evidence from the complainants and the IAB. If there is enforcement action, this is expected to take place early next year. 

Dr Johnny Ryan, senior fellow at the Irish Council for Civil Liberties and one of the complainants, told Campaign: “The IAB Framework is used by Google and others to paint a thin legal veneer over the vast data breach at the heart of the behavioural advertising system. Now, the APD-GBA is peeling this veneer off.”

Ryan, who made the complaint while working for Brave, the tracking-blocking internet browser, has consistently argued that it is impossible to ask for GDPR-compliant consent for real-time bidding, because the process leaks what people are reading, listening to and watching to an unknown number of companies. 

The ICO appeared to agree, having launched an investigation into RTB and warning that a world of “perverse incentives” had been created in which being intrusive was being rewarded with better prices for online advertising.

However, the ICO paused the probe last May because it did not want to put the online advertising industry under “undue pressure” amid the economic impact of the coronavirus pandemic. 

In a statement reacting to the APD-GBA report, IAB Europe said it disagreed with the authority’s interpretation of the law and that the TCF was written after consulting regulators across the Continent.

It said: “We find it regrettable that a standard whose requirements reflect an interpretation of the law that errs on the side of consumer protection and aligns with multiple DPA guidance materials across the EU (CNIL, DPC, ICO, etc), should be the focus of an enforcement action, rather than an opportunity for a constructive, good-faith dialogue on how the TCF can be improved in ways that better align with the APD’s vision and with consumer and industry needs.

“Over the past three years we have had the chance to present the TCF to a number of European DPAs, whose feedback we reflected in important changes in the V2 of the Framework, rolled out earlier this year. We will be fully engaging with the APD over the coming months as its services conduct evaluations on the merits of the report. We will also continue to work with regulators and seek their guidance on how the TCF can promote compliance with both the GDPR and the ePrivacy Directive.”


Campaign UK

Related Articles

Just Published

6 hours ago

Asia-Pacific Power List 2023: Edward Bell, Cathay ...

Turbulence is a part of flying; Bell’s innovative strategies, which are a perfect blend of safety, reliability and a little fun, improved customer touchpoints for the brand and was key in keeping Cathay aloft.

6 hours ago

Move and win roundup: Week of May 29, 2023

Catch up with marcomms updates from DDB, OutSystems, The Future Communicators Foundation, Xtend and more to come in our people move and account wins roundup.

7 hours ago

Creative campaign aims to bring Singaporeans closer ...

TSLA's multimedia creative work for the newly-opened Bird Paradise at Mandai Wildlife Reserve aims to show how close an escape to 'paradise' can be.