The Belgian DPA brings the hammer down on IAB Europe's TCF
In this week's Privacy Insider, ICYMI on Friday:
First, the Belgian data protection authority's fine levied at IAB Europe. It was a decision we knew was coming, but now that the DPA says the organization's Transparency and Consent Framework doesn't fly under the GDPR, we can all look toward what has to happen for it to remain a viable framework.
Second, the states are starting to get moving this legislative session, and it's anyone's guess how many make it through.
First, on the IAB Europe decision: It isn't the news that the regulator deemed the TCF illegal that's significant this week. We knew the regulator was planning to come down this way based on news from 2021. The DPA gave the IAB a head's-up that it had concluded its findings and would share it with the other DPAs before its final ruling.
But now we have the DPA on record that:
- IAB Europe failed to establish a legal basis for processing the data in its TCF and offered an insufficient basis for third-party ad tech vendors that were doing the same thing.
- IAB Europe failed to implement organizational and technical measures to keep the data safe.
- IAB Europe failed to keep a register of processing activities.
- IAB Europe failed to appoint a data protection officer.
- IAB Europe failed to conduct a data protection impact assessment.
In this Twitter thread, privacy attorney Cobun Zweifel-Keegan noted that IAB Europe argued it had a legitimate interest in processing the data, and the DPA didn't necessarily disagree. But the DPA did say that the interests of the data subject are stronger. Remember, under the GDPR, you must balance your interests against the individual's. If they wouldn't "reasonably expect" the processing, their interests override the company's interests. In this case, the users can't consent to the cookies deployed under the TCF because they aren't aware it's happening.
The question is: What does that mean for the future of the TCF? Companies relying on it for consent wanna know! The good news: The DPA has also ordered IAB Europe to present an action plan that would bring its framework into compliance within two months.