IAB Europe's advert monitoring framework was discovered to be out of GDPR normal


According to its EU data protection officer, a flagship framework for obtaining the consent of internet users for targeting with behavioral ads, which was developed by IAB Europe, a body in the advertising industry, does not meet the required statutory data protection standards.

The Belgian Data Protection Authority's investigation follows complaints about the use of personal data in real-time bidding (RTB). Part of programmatic advertising claiming that a system of high-speed trading of personal data is inherently incompatible with data protection requirements under EU law.

The IAB Europe's Transparency and Consent Framework (TCF) appears across the regional web, encouraging users to accept (or decline) ad trackers – with the stated aim of helping publishers comply with EU data protection regulations.

It was the response of the advertising industry body to a major update of the block's data protection provisions under the General Data Protection Regulation (GDPR). went into effect in May 2018 – tightening standards for consent to the processing of personal data and introducing oversized penalties for violations – increasing the legal risk for the ad tracking industry.

IAB Europe launched the TCF in April 2018, at the time it stated that it would "help the digital advertising ecosystem meet its obligations under the GDPR and the Electronic Communications Privacy Policy".

The framework has been largely adopted, including by the adtech giant Google, who integrated it in August.

Outside of Europe, the IAB also recently urged that a version of the same tool be used to “comply” with California's Consumer Law.

However, the results of the investigation department of the Belgian DPA cast doubts on all of this assumption – which suggests that the framework is inadequate.

The inspection service of the Belgian data protection authority found a number of findings in a report audited by TechCrunch – including that the TCF does not comply with the GDPR principles of transparency, fairness and accountability, as well as the legality of processing.

It is also noted that the TCF does not provide adequate rules for processing specific category data (e.g. health information, political affiliation, sexual orientation, etc.), but does process that data.

There are other extremely embarrassing results for IAB Europe where the regulator has not appointed a data protection officer or kept a record of its own internal data processing activities.

It was also found that there is no separate privacy policy.

We asked IAB Europe to comment on the results of the supervisory authority.

A number of complaints have been filed against RTB across Europe in the past two years, starting in the UK and Ireland.

Dr. Johnny Ryan, who filed the original RTB complaints and is now a Senior Fellow with the Irish Council for Civil Liberties, told TechCrunch, “The TCF was an attempt by the tracking industry to veneer or quasi-legalize the massive data Belgian data protection agency, at the heart of the behavioral advertising and tracking industry, is now peeling the veneer and exposing the illegality. "

Ryan previously described the RTB problems as "the largest data breach ever recorded".

Last month he released another hair-raising evidence dossier about the extent and worrying amount of RTB's personal information disclosure. Findings included that a data broker used RTB to profile people to influence the 2019 Polish parliamentary elections by targeting LGBTQ + people. Another data broker was found to profile and target Internet users in Ireland under the categories of 'substance abuse', 'diabetes', 'chronic pain' and 'sleep disorders'.

In a statement, Ravi Naik, the lawyer who worked on the original RTB complaints, said of the Belgian regulator's findings: “These findings are harmful and overdue. As the standard setter, the IAB is responsible for violations of the GDPR. Your supervisory authority has rightly determined that the IAB "neglects" the risks for data subjects. The IAB is now responsible for stopping these violations. "

After filing RTB complaints, the UK Data Watchdog ICO warned against behavioral advertising in June 2019 and urged the industry to take note of the need to comply with data protection standards.

However, the regulator has not taken any enforcement action – unless you count several lightly worded blog posts. Most recently, it suspended its (ongoing) investigation into the problem because of the pandemic.

In a further development last year, Ireland's DPC launched an investigation into Google's online advertising exchange looking into the lawful basis for processing personal data. But this investigation is one of the scores that remains open on the desk. And the Irish regulator continues to face criticism for how long it takes to make decisions on major cross-border GDPR cases related to big tech.

Jef Ausloos, a postdoctoral researcher in data protection at the University of Amsterdam – and one of the complainants in the Belgian case – told TechCrunch that the DPA's move is putting pressure on other EU regulators and calling for what it calls "complete" called "inaction of the deer in the headlights".

"I think we'll see more of these in the months / years to come, i.e. other DPAs who are sick and tired and who take matters into their own hands – instead of waiting for the Irish," he added.

“We are delighted that a data protection authority has finally decided to take over the online advertising industry at its roots. This could be the first important step to fight surveillance capitalism, ”Ausloos said in a statement.

There are still a few steps to be taken before the Belgian data protection authority takes (any) action on the content of their supervisory authority's report – with a number of steps that are pending in the regulatory process. We asked the Belgian data protection authority for a comment.

However, according to the complainants, the regulator's findings have been forwarded to the Trial Chamber and action is expected in early 2021. This suggests that EU data protection monitors may finally be able to safeguard their rights against the EU's ad tracking industry / data industry complex in the near future.

There is a need for publishers to change the way they monetize their content: alternatives to scary ads that respect rights are possible (e.g., contextual ad targeting that doesn't use personally identifiable information).

Some publishers have already found that moving to contextual ads is good news for their revenue. Subscription business models are also available (although not all VCs are fans).