Belgian DPA finalizes draft IAB decision
November 30, 2021
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
The Belgian DPA announced that it has finalized and sent to its European counterparts a draft decision regarding compliance by IAB Europe’s Transparency & Consent Framework (TCF) with GDPR. According to the announcement, 27 supervisory authorities have indicated their willingness to be involved in the procedure. The DPAs will have a period of 4 weeks to provide feedback, after which the decision will either be finalized, revised or sent to dispute resolution.
WHY IT MATTERS
A copy of the draft decision has not been made public, but IAB Europe issued a statement earlier this month revealing that the draft opinion was expected to find the “TC Strings” that are passed through the TCF to constitute personal data controlled by IAB Europe under the GDPR. The willingness of 27 DPAs to be involved in the procedure indicates the anticipated implications of the decision across Europe, but it’s unclear at this point whether the DPAs will align with or dispute the decision.
The UK Information Commissioner’s Office (ICO) published an Opinion detailing its expectations for new online advertising initiatives posed by Google and other market participants, encouraging such participants to demonstrate how their proposals meet such expectations. The Opinion suggests that all new initiatives should engineer data protection requirements by default, offer users the choice of receiving ads without tracking, profiling or targeting based on personal data, be transparent about how and why personal data is processed across the ecosystem and who is responsible for the processing, articulate the specific purposes for processing personal data and demonstrate how that is fair, lawful and transparent, and address existing privacy risks and mitigate any new privacy risks that their proposal introduces.
WHY IT MATTERS
In addition to setting out the ICO’s expectations for new initiatives, the ICO provides its insights into certain existing initiatives, including that the TCF and its use by publishers has not significantly addressed concerns previously posed by the ICO and that Global Privacy Control (GPC) does not appear to offer a means by which user preferences can be expressed in a way that fully aligns with UK data protection requirements. The ICO also warned that identifier-based solutions may not sufficiently address the ICO’s issues regarding transparency, control, consent or accountability, pointing out that PECR applies if terminal equipment information is processed, regardless of whether the information is personal data, and that identifier-based solutions involving the original email address may not result in effective pseudonymisation. Overall, the ICO made clear that solutions seeking to preserve “business as usual” will not meet their expectations and that the industry “must recognise the need for change”.
The UK Competition and Markets Authority (CMA) revealed eight new commitments offered by Google to address the CMA’s concerns with Google’s Privacy Sandbox proposals. Among other commitments, Google agreed to clarify internal limits on data Google can use, provide greater certainty to third parties developing alternative technologies, report regularly to the CMA on how Google has taken account of third party views and to maintain its commitments for 6 years from acceptance by the CMA. The CMA will consult on the commitments until December 17, after which, if the commitments are accepted, the CMA will close its investigation
WHY IT MATTERS
The CMA has been investigating Google’s proposals for almost a year. Google offered a previous set of commitments in June 2021, to which the CMA responded with several concerns, resulting in the current set of updated commitments. If the CMA accepts the commitments, they will become legally binding, forcing Google to maintain an ongoing 6-year reporting relationship with the CMA. ure indicates the anticipated implications of the decision across Europe, but it’s unclear at this point whether the DPAs will align with or dispute the decision.
The French DPA (CNIL) published guidelines regarding alternatives to third-party cookies, reminding companies that such ad targeting innovations must “always be compliant with the data protection legal framework, especially, the rules regarding consent and the rights of data subjects.” The guidelines walk through concepts of first-party cookies, fingerprinting, single sign-on, unique identifiers and cohort-based ad targeting and highlight the importance of allowing users to keep control over their data, avoiding the processing of sensitive data, and remaining responsible for the implementation of tracking techniques.
WHY IT MATTERS
Like the ICO privacy standards mentioned above, the CNIL guidance stresses that, regardless of whether personal data are processed, access to the user’s terminal equipment for storing or recording information for non-strictly-necessary purposes requires prior written consent. In other words, removal of third-party-cookies, or even personal data, from ad targeting doesn’t necessarily eliminate a company’s obligations under GDPR, ePrivacy and other privacy laws.
India’s Joint Parliamentary Committee reportedly adopted a draft report on the Personal Data Protection Bill 2019, moving the bill forward for presentation in the Winter Session of Parliament.
WHY IT MATTERS
This bill is almost two years in the making. The panel finalized a previous draft report last year, but consultations were reopened in September when a new chairman the the Joint Parliamentary Committee made several changes to the bill, including expanding certain provisions to cover both personal and non-personal data. This latest version reportedly contained some last-minute changes regarding government agency exemptions and application to social media platforms.
The United Arab Emirates President reportedly approved, as part of a larger legislative package, a comprehensive Data Protection Law that, among other provisions, prohibits the processing of personal data without consent, imposes certain security and data-transfer obligations, and extends user rights to correct, restrict and opt out of the processing of personal data. The President also approved a law to establish the UAE Data Office dedicated to the protection of personal data.
WHY IT MATTERS
The Data Protection Law is the UAE’s first-ever comprehensive data privacy law at the federal level. Certain free trade zones of the UAE previously had data protection regimes, but until now, there has been no law or central regulator at the national level, which had left onshore areas under federal jurisdiction without data privacyprotection. Some speculate adoption of the federal Data Protection Law may lead to an adequacy decision for data transfers from the European Union.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The U.S. Department of Justice announced a $115,054 settlement...
The consultation, which ran for 10 weeks ending in...
Privacy for America, a coalition that includes several ad...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.