Belgium’s Data Protection Authority this morning announced that it has approved IAB Europe’s action plan for the Transparency and Consent Framework, a technical infrastructure used for collecting and sending user consent for use of their personal data in digital advertising. The news has been heralded as a win by IAB Europe, which states that the decision is a validation of the legality of the TCF.
The DPA gave IAB Europe a limited window to develop an action plan after it ruled last February that the TCF doesn’t comply with the General Data Protection Regulation – the very piece of legislation which it was designed to accommodate. Theoretically, now that the action plan has been approved, IAB Europe will go about addressing the DPA’s concerns – though the true consequences aren’t too clear.
A key battleground
The Belgian DPA’s case against IAB Europe has become a key battleground in the wider debate over the use of personal data in advertising. The case itself seems at a glance very technical, perhaps even trivial. But the final outcome could have major consequences.
At its core, the TCF is designed to allow personal data to be passed through digital advertising’s pipes in a way which respects the GDPR. But some privacy advocates have argued that there is no legitimate way to pass users’ personal data to ad tech businesses which have no direct relationships with those individuals – and therefore that there’s no legitimate way to use personal data in real-time bidding-based advertising.
These groups saw the DPA’s initial decision as validation of this view. If the TCF – a framework used by a huge number of publishers and ad tech companies – was brought down, then the use of personal data in RTB could be brought down with it.
The DPA did however give IAB Europe a window to form an action plan of how it might bring the TCF in line with GDPR – and this is the action plan which has been approved today.
Crucially, IAB Europe has always contested the DPA’s decision as a faulty interpretation of the GDPR, referring the case the the Court of Appeal of Brussels. This court has since referred several questions to the Court of Justice of the European Union (CJEU) concerning key contentions around the original decision, namely:
- Whether the TC String (a digital signal containing user preferences which is specified as part of the TCF) should be considered personal data, and
- Whether IAB Europe acts as a (joint) controller for the dissemination of TC Strings and other data processing done by TCF participants
If the CJEU and Court of Appeal of Brussels’ rulings go IAB Europe’s way, then the DPA’s original decision would be moot.
Plan B secured?
Thus IAB Europe’s plan of action, while significant, looks more like a back up plan for the trade group than anything else.
The organisation will be hoping that this action plan never gets used, as it wants the original decision to be struck down by the Market Court. But if that decision doesn’t go IAB Europe’s way, there is at least a potential path to bringing the TCF in line with the DPA’s interpretation of the GDPR.
“The validation of IAB Europe’s action plan confirms the legality of the TCF as a standard that can help digital publishers and their partners comply with certain provisions of the GDPR and ePrivacy Directive”, comments Townsend Feehan, CEO of IAB Europe. “However, it is important to bear in mind that implementation of the action plan – which IAB Europe is now being required to effect over a period of six months – would entail operating changes for TCF participants that may ultimately be found inadequate by the European Court.”
Feehan’s last point outlines the tension over what happens next. According to the DPA’s original decision, IAB Europe is now obligated to complete that action plan within six months, making significant changes to the TCF. But IAB Europe is reluctant to make these changes, given that it hopes they’ll be deemed unnecessary by the market court ruling.