Explaining the Belgium DPA’s Decision on the IAB Europe’s Privacy Responsibilities

The Belgium DPA’s decision on the IAB Europe’s responsibilities when it comes to data privacy has been making waves across the globe. So, what did their decision include and how should companies respond?

Recently, the Belgium Data Privacy Authority (DPA) released a decision following its investigation of the International Advertising Bureau (IAB) Europe’s administration of the Transparency and Consent Framework (TCF). A growing debate is happening around the world about who is responsible for personal data in regards to privacy compliance, specifically GDPR, the most wide-reaching and comprehensive privacy regulations in the global market. The TCF is a set of technical standards and policies designed to help all parties of the digital advertising chain to comply with the GDPR. In simple terms, it tries to solve the compliance challenges of the Real-Time-Bidding (RTB) Advertisement framework, which is referred to as “surveillance advertisement”. 

In short, real-time bidding works by using an advertisement space on a specific website, sharing personal information about a data subject to allow advertisement vendors to bid on it so that “personalized” advertisement can be placed by the highest bidder. The challenge is that nobody can control who processes personal data as part of this processing activity. This has been criticized by the ICCL (Irish Data Protection Council), as well. 

The Belgium DPA’s decision asserts that, for GDPR purposes, Transparency and Consent (TC) Strings are personal data and that IAB Europe is the data controller of TC Strings. Vendors who participated in the TCF are also considered sub-controllers. This decision means that the IAB Europe and all Vendors participating in TCF are responsible for the RTB processing activities, mainly the sharing of personal data. 

This is significant because, by placing the primary responsibility on the IAB and participating vendors to protect customer data privacy, the IAB is now seen as out of compliance with the GDPR. The Transparency and Consent Framework and Real-Time Bidding have been criticized by a variety of experts in the last couple of years, so it’s not really a surprise that this framework is considered to be not compliant with the GDPR. 

So what does the Belgium DPA’s decision order the IAB to do? 

• First, it has to establish its own legal basis for processing TC Strings insofar as it is a controller of personal data in connection with TC Strings. 
• It must then delete TC Strings with globally-scoped consents from servers IAB Europe controls (the current version of the TCF no longer supports globally-scoped consents, in any case). 
• Following that, it must make updates to the TCF, including:
  • Improving the technical and organizational measures used to ensure the integrity of TC Strings.
  • Implementing audit procedures for TCF participants to evaluate their GDPR compliance.
  • Removing legitimate interest as an available legal basis under the TCF.
  • Setting new standards for and increasing the uniformity of the user interfaces presented by participating consent management platforms (CMPs).
• Next they must take procedural steps the GDPR requires of controllers of personal data, including updating records of processing activities, carrying out a data protection impact assessment, and appointing a Data Protection Officer.
• Finally, pay an administrative fine.

The order provides the IAB Europe with two months to develop an action plan for complying with the decision that can then be executed within a six-month time frame. IAB Europe is not prohibited from operating the TCF during this interim period. 

So how is the IAB Europe responding to the Belgium DPA’s decision? 

The IAB is rejecting the Belgium DPAs decision, specifically disagreeing with the conclusion that it is a controller of any personal data as a consequence of the administration of the TCF. In parallel with its efforts to challenge the Belgium DPA, the IAB Europe will develop an action plan for responding to the orders concerning updates to the TCF itself. 

How is Tealium impacted by the Belgium DPA’s decision?

Tealium is not and is not planning to be an active Vendor of the IAB TCF. Therefore, none of Tealium’s products are impacted by the Belgium DPA’s decision. In case a Tealium customer has implemented a TCF Consent Management Platform, Tealium has and will continue to process TCF signals, as these signals are required to respect and enforce the end-users privacy preferences (consent). 

Tealium is recommending companies to wait until IAB Europe releases their action plan within the next two months and act only after the Belgium DPA has either accepted or denied those actions. In the meantime, work on a plan B, preparing for a non-TCF Consent Management solution and get in touch with appropriate advertisement partners to understand their short and long-term solutions.

This decision is expected to be the first of many, as multiple Data Privacy Authorities and Privacy Experts have raised their concerns about the compliance of the Real-Time-Bidding data processing activities. Tealium is following this topic closely and will continue to provide guidance to support customers on their road to compliance and generally working beyond the checkbox for privacy. 

For more information on the importance of data privacy in today’s market, check out our “2022 State of the CDP Report” where data privacy was listed as a primary driver of CDP adoption by respondents surveyed.