A complex investigation into the GDPR compliance of the Transparent and Consent Framework platform of the IAB Europe federation, which brings together stakeholders in the field of behavioral advertising, has come to an end with a €250,000 sanctioning decision adopted by the Belgian authority.
Measure of the Belgian authority
The voluminous decision of the Belgian supervisory authority against IAB Europe (over 120 pages) concerns the platform created by the latter – and made available to companies and organizations – for the collection and management of consent in the case of behavioral advertising and, more specifically, of that type of advertising that is known technically as “Real Time Bidding” or “RTB”.
One stop shop
The decision by the Belgian authority (Autorité de protection des données, “APD”) was issued as a result of the cooperation mechanism between the different GDPR authorities involved, as
- IAB Europe has its only “establishment” in Belgium
- the activities in question have a significant impact on data subjects located in different Member States, so much so as to be considered “cross-border processing” (Article 4(23)(b), GDPR)
- the DPA is the lead supervisory authority (art. 56, GDPR) competent to act for cross-border processing under the cooperation mechanism (or “one-stop shop” art. 60, GDPR) with the other supervisory authorities concerned.
Real Time Bidding “RTB”
Real Time Bidding or real-time advertising bidding system, is a kind of automated online advertising that is done through a programmatic advertising approach or “programmatic advertising”. Real Time Bidding consists of a network of partners using big data applications to optimize the sale of commercial and behavioral advertising through auctions that are automated and instantaneous, i.e. in real time. RTB connects the advertising supply (the suppliers of advertising space, called “publishers”, i.e. companies that own a website or an app with advertising spaces) with the demand (the buyers of advertising space, called “advertisers“, i.e. companies that want to show advertising for their products or services in a targeted manner to website visitors and app users). Then, between the supply and demand actors there are intermediaries and data management platforms for the functioning of the entire complex process.
RTB operations, through requests for offers, constitute personal data processing to which the GDPR applies.
Source: Belgian Authority
IAB Europe TCF
IAB Europe is a federation representing the digital advertisement and marketing industry on the European level. IAB Europe’s Transparency & Consent Framework “TCF” constitutes a separate set of policies, technical specifications, terms and conditions, created, managed and administered by IAB Europe, which should be able to inform users about advertisers‘ activities, as well as obtain valid consent from those users in relation to the processing of their personal data in a real-time advertising bidding system. Therefore, the RTB and TCF systems are interconnected, as the TCF would aim to ensure that personal data processing operated through the RTB are managed in accordance with GDPR and ePrivacy.
IAB Inc. OpenRTB
TCF is closely related to OpenRTB implemented by IAB Inc, the American mother company of IAB Europe. “The OpenRTB is a standard protocol that aims to simplify the interconnection between ad space providers, publishers (ad exchanges, Sell-Side Platforms, or networks working with publishers), and competing buyers of ad space (bidders, Demand-Side Platforms, or networks working with advertisers). The overall objective of OpenRTB is to establish a common language for communication between buyers and vendors of advertising space” (par. 24 of the measure). Despite the fact that the most critical issues with regard to compliance with the GDPR are to be found precisely in the area of operations of the OpenRTB, the latter has not been the subject of the ADP’s decision, since the complaints presented to the Belgian authority were limited to the TCF. But since – as stated by IAB Europe during the prosecution before the APD – the TCF provides accountability and transparency to OpenRTB, the conclusions reached by the Belgian authority in this circumstance, will inevitably have consequences on the processing of personal data of the real-time bidding ecosystem (such as OpenRTB).
Subject of the APD measure
The subject of APD’s decision and the related “one stop shop” mechanism with the other supervisory authorities involved is only the TCF platform, so the resulting order is addressed solely to IAB Europe. Therefore, the same order is without prejudice to the assessment of the treatments carried out by the other players that make use of the TCF or that operate in the RTB universe. From this point of view, the APD measure – while not interfering with the free evaluations of the other national regulators – constitutes an important precedent with respect to behavioral advertising and, in particular, RTB: that is, in addition to the criticism of TCF already contained in the APD measure, in the future actions could be taken towards other players, with respect to IAB Europe, and further areas with respect to TCF, such as the more general context of behavioral advertising and RTB (see IAB Europe press release).
In addition, the same decision intentionally failed to address certain aspects falling within the scope of the TCF, either due to a lack of adequate preliminary information (such as, for example, the impact on personal data transfer) or due to the choise to limit the scope of intervention. Consequently, the TCF itself or the RTB system connected to it could be the object of further action.