IAB Transparency & Consent Framework (TCF) is an open standard created jointly by IAB Europe and the industry and launched in 2018 to meet the requirements of GDPR and ePrivacy for digital advertising.
On Wednesday, 2 February 2022, the Belgian data protection authority APD issued a decision finding that the TCF standard violated certain parts of the EU's General Data Protection Regulation (GDPR). As a result of the infringement, IAB Europe was fined a total of € 250,000. The data protection authorities of other EU countries also participated in the decision-making of the APD, and thus the decision is in principle binding in all EU countries.
According to the statement, IAB Europe has the role of controller in TCF's TC-String, which was interpreted in the decision as personal data. It should be noted that the decision only applies to the IAB Europe and not the companies using the TCF standard.
Within the next two months, IAB Europe had to submit a development plan to APD to remedy the shortcomings identified in the decision.
How did the process continue after the published decision?
On 4 March 2022, IAB Europe submitted to the Market Court (Court of Appeal of Brussels) an appeal against the Belgian Data Protection Authority (APD) ruling, which claimed that IAB Europe acted in breach of the General Data Protection Regulation (GDPR). A ruling by the Market Court on the appeal is expected mid or late summer 2022.
On 1 April 2022, IAB Europe submitted the action plan required by the decision to the APD. Once the action plan has been reviewed and validated by the APD and concerned supervisory authorities, IAB Europe will have six months to implement it.
On 13 May IAB Europe announced that it is withdrawing its request for suspension of the execution of the decision issued by the Litigation Chamber of the Belgian Data Protection Authority (“APD”) on IAB Europe and the Transparency & Consent Framework (TCF). The request for suspension had been submitted as part of the appeal to the Belgian Market Court lodged on 4th March. The withdrawal coincides with a confirmation by the APD that it will not take a decision on validation of the action plan submitted by IAB Europe until 1st September at the earliest, date by which the Market Court is expected to have issued a ruling on the appeal.
On 7th September IAB Europe acknowledges the interim ruling handed down by the Belgian Market Court (part of the Brussels Court of Appeal) in connection with IAB Europe’s appeal of the February 2022 decision by the Belgian Data Protection Authority (APD) on IAB Europe and the Transparency & Consent Framework (TCF). In its interim ruling, the Market Court has decided to refer preliminary questions to the Court of Justice of the European Union (CJEU) on how the concept of data controllership in the GDPR as it pertains in this case, is to be interpreted and on whether a TC String (a digital signal containing user preferences) can be considered as “personal data” under the GDPR. The referral to the CJEU means that a final judgement by the Market Court is unlikely until 2023 or even 2024.
The full Q&A compiled by IAB Europe can be found here. We have compiled below some of the most essential points for a quick overview.
Are TCF CMP consent pop-ups illegal?
No. There is nothing in the APD’s decision that even remotely suggests that consent prompts are illegal or that they should not be employed by the digital advertising ecosystem to comply with legal requirements under the EU’s data protection framework. APD considers only TCF-compliant TC strings can be considered personal data under certain conditions. Therefore, TC strings require a legal basis under the GDPR (consent or legitimate interest) and APD will request further clarification in its decision.
Why are TC Strings considered personal data by the APD?
TC Strings are the digital signals created by Consent Management Platforms (CMPs) that work for Publishers (owners of websites and/or apps) to capture data subjects’ choices about the processing of their personal data for digital advertising, content and measurement. The APD does not consider the TC String itself to be personal data, as the TC string does not allow for direct identification of the user due to the limited metadata and values it contains. However, the APD holds that the possibility of CMPs being able to combine TC Strings and the IP address means it is ultimately information about an identifiable user and therefore personal data.
Should all data collected via the TCF be deleted?
No. APD says explicitly in its decision that it cannot mandate the removal of all TC Strings generated until now on IAB Europe. The APD only requires IAB Europe to ensure the deletion of personal data collected through TC Strings in the context of a specific mechanism called the “global scope”. Deprecation of global scope support was announced by IAB Europe on June 22nd 2021. APD's decision currently concerns IAB Europe and not an individual market player, but refers to the possibility of ordering an individual operator to delete data collected through TCF if the data contain personal data collected in breach of Articles 5 and 6 GDPR.
What are the next steps?
In September 2022, the Market Court made a preliminary ruling request to the Court of Justice of the European Union. Bringing the case to the Court of Justice of the European Union means that the final verdict of the market court is unlikely reached before 2023 or even 2024. It is currently not possible to give a more precise timeline. IAB Europe regularly informs about the different stages of the complaint process.
We believe that IAB Europe will communicate more on this in the coming months. We will follow with interest the development of the situation.