In a report issued last week, the Inspection Service of the Belgian data protection authority (DPA) summarized concerns it has with the IAB Europe Transparency & Consent Framework (TCF). The Inspection Service has transferred the report to an internal adjudication unit that will deliberate over the coming months. The report is not a final ruling, and contrary to the headlines from last week, the DPA has not “found the TCF to breach the GDPR.”
The report does not impact or affect current operations of the TCF.
The Inspection Service’s conclusions appear to challenge the compatibility of some aspects of the TCF with the General Data Protection Regulation (GDPR), Europe’s flagship privacy law.
The report also comes to the conclusion that IAB Europe acts in the capacity of “data controller” in its role as Managing Organization of the TCF. We share IAB Europe’s skepticism in relation to this, which, if upheld, would have a chilling effect on the development of open-source compliance standards that serve to support industry players and protect consumers. The Belgian DPA considered whether IAB Tech Lab was also a data controller but came to the conclusion that it was not.
The programmatic advertising marketplace, which is supported in part by IAB Tech Lab’s OpenRTB protocol, comprises a growing majority of the €64 billion digital advertising market in Europe, providing thousands of publishers across Europe, including small independent publishers, with a dependable source of revenue. As a result, Europeans today have access to more free and low cost media, news, and services than at any time in history.
Privacy compliance in this marketplace is supported by the TCF, which was promulgated to comply with GDPR and Europe’s ePrivacy Directive in the context of programmatic advertising. Following the roll-out of TCF v2 in August 2020, approximately 80% of non-app programmatic bid requests emanating from the EU carry a TCF string.
We remain optimistic that through open dialogue the DPA’s concerns and accusations can be addressed. As our partners at IAB Europe said in response to this report, “we will be fully engaging with the DPA over the coming months as its services conduct evaluations on the merits of the report. We will also continue to work with regulators and seek their guidance on how the TCF can promote compliance with both the GDPR and the ePrivacy Directive.”