FAQ: Updates on the Belgian DPA’s investigation of the IAB’s TCF
November 30, 2021
Updated 30 November 2021
The IAB Europe’s Transparency & Consent framework (TCF) is the most widely-used advertising industry framework for GDPR compliance. Launched in 2018, it is used by Consent Management Platforms (CMPs) who have been validated by the IAB Europe, across the biggest media companies in Europe and the US.
A year ago, a series of GDPR complaints were filed against the IAB Europe by a pan-European consortium of privacy activists, including Johnny Ryan of the Irish Council for Civil Liberties and previously Chief Privacy Officer at privacy-first browser Brave. These complaints were focused on the IAB Europe’s Transparency & Consent Framework; in parallel, there were complaints about Real Time Bidding (RTB).
An investigation by the inspection service of the Belgian Data Protection Authority (DPA), known as the APD, issued a preliminary report with findings that the TCF fails to comply with the GDPR principles of transparency, fairness and accountability, and the lawfulness of processing. Subsequently, this moved to the litigation chamber of the APD. The draft decision has now been released and sent to the other European DPAs for feedback.
WHEN WILL THE BELGIAN DPA (APD) ISSUE A FINAL RULING?
On 25th November 2021, the APD announced that it has finalized and sent to its European counterparts a draft decision regarding compliance by IAB Europe’s TCF with GDPR. According to the announcement, 27 supervisory authorities have indicated their willingness to be involved in the procedure.
The DPAs will have a period of 4 weeks to provide feedback, after which the decision will either be finalized, revised or sent to dispute resolution.but there has been no ruling yet.
The APD’s draft ruling has be released in the midst of the UK ICO’s recent calls for G7 countries to reform the cookie banner to combat “consent fatigue” and allow for more “meaningful” consent, as well as a push by a member of the European Parliament to ban targeted advertising.
WHAT DOES THIS MEAN FOR THE FUTURE OF THE TCF?
We believe this is an opportunity to improve the standard. Sourcepoint is monitoring the situation very closely, but we don’t expect any changes for our clients in the near future. We’ll continue to be your partner, and help you adapt to the ever-changing regulatory landscape. Standards are a very good thing for compliance, and this is something we know that many DPAs agree on.
ARE THE OTHER DPAS LIKELY TO MAKE SIMILAR RULINGS?
As part of the GDPR Cooperation Procedures, the Belgian DPA (the APD) has to bring their draft ruling to the other DPAs to reach agreement. If they can’t come to an agreement, it will be referred to the European Data Protection Board (EDPB) for a binding decision. It’s too soon to say what will happen, but in either case, this is not going to happen overnight.
WHEN WOULD I HAVE TO MAKE CHANGES TO MY CMP IMPLEMENTATION?
It’s important to remember that this is all going to take time. As of this writing (30th November 2021), the Belgian DPA’s draft ruling has not been published, but per GDPR procedures, it has been shared with the other DPAs, who now have 30 days to review it. Depending on the outcome of that review, the Belgian DPA may adopt a final ruling or the matter may be referred to the EDPB for a binding decision, which would also take some time.
Subsequently, per the IAB Europe, there may be a six-month period to fix any issues found by the DPA and revise the TCF accordingly. Such collaborative work would enable the TCF to become a transnational GDPR code of conduct, which many DPAs have been saying is necessary for some time. This would only strengthen the TCF as a framework for compliance.
Reach out if you have questions
An essential part of our business model is anticipating changes in the data privacy landscape and adapting our product and services to help you navigate those changes. We’re prepared to support you in making any changes needed. This is why Europe’s largest publishers choose to partner with Sourcepoint for GDPR compliance.
This post is provided for general, informational purposes only, does not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
Belgian DPA finalizes draft IAB decision for DPA feedback....
An investigation by the inspection service of the Belgian...
Bedoya testifies in FTC nomination hearing, plus federal online...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with the latest privacy and media news.