Interactive Adverting Bureau Europe fined for the non-compliance of its Transparency & Consent Framework Summary The Interactive Adverting Bureau Europe (IAB Europe) the DPA held that IAB Europe was exerting control developed an operational consent solution for parties in the capacity of data controller. According to IAB in the digital advertising industry known as the Europe itself, however, the association merely held Transparency and Consent Framework (TCF). the status of data processor in the context of the TCF for two main reasons. Firstly, the association argued IAB Europe represents the digital advertising and that TC Strings contain technical information only, i.e. marketing industry across Europe. The association the binary indication of whether a user consented to was the subject of several complaints concerning the processing purposes on a given website. As such, various breaches of GDPR due to its alleged large-scale TC Strings contain no unique identifier (such as the IP processing of personal data in the context of the TCF. address) and should not be qualified as personal data The TCF provides an environment where website according to IAB Europe. Secondly, regardless of the publishers can communicate with consumers, legal qualification of TC Strings, IAB Europe did not own, specifying how data is collected and disclosing its process, or coordinate the use of specific TC Strings intended use by the website owner and its partners. and consequently argued that its role did not amount User preferences are captured by generating a so- to that of a data controller. called TC String (Transparency and Consent String), As a result of the misconceptions related to IAB Europe’s consisting of a combination of letters, numbers and role as being either data controller or processor, the other characters. As users browse websites using the association did not establish sufficient legal basis TCF (pop-ups) to collect consent, the placement of under GDPR according to the Belgian DPA. Similarly, cookies or other advertisement identifiers and tracking the DPA found that IAB Europe had breached several technologies on their devices allow adtech vendors to provisions by failing to conduct a data protection bid on user profiles, exposing users to advertisements impact assessment, appointing a DPO, and maintaining according to their individual commercial preferences. a register of their processing activities. A question central to the case is whether TC Strings qualify as personal data under GDPR. The Belgian DPA issued the fine on 2 February 2022 and In relation to the TCF, the role of IAB Europe under GDPR ordered IAB Europe to produce, within two months, an is disputed. Arguments were made by the Belgian action plan for securing the compliance of the TCF. IAB DPA that IAB Europe acted as data controller for the Europe appealed the decision to the Brussels Market recording of TC Strings as well as joint data controller Court of Appeal on 4 March 2022. alongside other actors implementing the TCF such as website owners, adtech vendors and others collecting and disseminating users’ preferences. In this regard, the DPA pointed to the decisive influence of IAB Europe on the purposes and means of data processing through its role as designer of the TCF and managing body of organizations participating in the TCF. By enabling the generation of the TC String and determining the policies for how consent might be obtained and disseminated, Published: 15-01-2021, Journal number: DOS-2019-01377 Tags: 01 Legal basis and principles of processing, 72 02 Right of access and obligation to provide information, 05 Data security