Belgian Court of Appeal upheld the ruling that IAB Europe's TCF violates GDPR

In a landmark decision, the Belgian Court of Appeal has upheld the Belgian Data Protection Authority’s (DPA) ruling that the Transparency & Consent Framework (TCF), developed by IAB Europe, violates the General Data Protection Regulation (GDPR).

This ruling has profound implications for the digital advertising industry, particularly for major players like Google, Microsoft, Amazon, and X (formerly Twitter), who rely on the TCF for obtaining user consent for data processing.

Background

The TCF is a mechanism designed to help digital advertisers and publishers manage user consent for data processing activities, especially in the context of Real-Time Bidding (RTB). It facilitates the collection and sharing of user preferences through a unique Transparency and Consent (TC) String, which is linked to an identifiable user. This framework is implemented via Consent Management Platforms (CMPs) and is prevalent across approximately 80% of the internet.

In February 2022, the Belgian DPA concluded that IAB Europe is a joint data controller with other participants in the TCF, such as publishers and ad tech vendors. The DPA identified several GDPR infringements, including:

• Lawfulness: IAB Europe failed to establish a valid legal basis for processing TC Strings, and the grounds offered for subsequent processing by ad tech vendors were inadequate.
• Transparency: The information provided to users through the CMP interface was too generic and vague, hindering users’ understanding of the nature and scope of the processing.
• Accountability and Security: There were insufficient organizational and technical measures to ensure data protection by design and by default.
• Other Obligations: IAB Europe did not maintain a register of processing activities, appoint a Data Protection Officer (DPO), or conduct a Data Protection Impact Assessment (DPIA).

As a result, the DPA imposed a €250,000 fine and mandated that IAB Europe submit an action plan within two months to bring the TCF into compliance with the GDPR.

Court of Appeal’s Ruling

The Belgian Court of Appeal has now affirmed the DPA’s decision, reinforcing the view that the TCF does not comply with the GDPR. The court emphasized that the TCF’s design and implementation failed to ensure that users’ consent was informed, specific, and freely given, as required under the GDPR.

Implications for the AdTech Industry

This ruling sends a clear message to the digital advertising industry about the importance of GDPR compliance. Companies relying on the TCF must reassess their consent management practices to ensure they align with data protection laws. Failure to do so could result in significant legal and financial repercussions.

The decision also highlights the need for greater transparency and accountability in data processing activities. Organizations must provide users with clear and concise information about how their data will be used and ensure they have meaningful control over their personal information.

Conclusion

The Belgian Court of Appeal’s affirmation of the DPA’s ruling against IAB Europe’s TCF underscores the evolving regulatory landscape for data protection in the digital advertising sector. As privacy concerns continue to grow, companies must prioritize compliance with data protection regulations to maintain user trust and avoid legal challenges.