7 March 2024
Europe’s top court rules that IAB Europe is responsible under the GDPR for the “TCF” consent spam popups that appear on almost every website
Europe’s highest court today delivered a judgement about the consent spam popups that have plagued people for years all over the Internet in Europe. The Court has ruled that IAB Europe, a tracking industry association, is responsible under the GDPR for the “Transparency and Consent Framework” (TCF) consent system. Google, Amazon, Microsoft, TikTok, and hundreds of other tracking-based online advertising companies rely on IAB Europe’s consent system, which Europe’s data protection authorities have already found to be in violation of the GDPR following our complaint.
IAB Europe commits multiple violations of the GDPR in its processing of personal data in the context of its TCF and the “Real-Time Bidding” (RTB) online advertising system. The TCF has been used to falsely legitimise the indiscriminate broadcasting of personal data of millions of people in Europe to companies everywhere, including to companies in China and Russia.[1] This happens 71 trillion times per year.[2]
IAB Europe argued that it is not responsible under the GDPR as a “data controller” because it allegedly only sets the rules for how data should be used, but does not process the data itself. The Court rightly rejected this, and confirmed that IAB Europe, as management body for the TCF, is a “data controller” under the GDPR.
The Court’s ruling today shows just how broad the protection of people’s personal data is in Europe. The online tracking and advertising industry is surreptitiously collecting and broadcasting highly sensitive data about everyone who uses the internet. Today’s decision will force the industry to change profoundly. Google, Amazon, Microsoft, and so on can no longer evade their responsibilities by claiming that the data they use is not protected by the law.
“People across Europe have been plagued by fake “consent” popups every day on almost every website and app since the GDPR was introduced almost six years ago”, said Dr Johnny Ryan of ICCL Enforce. “IAB Europe has sought to evade its responsibility for this charade. But the European Court of Justice has set it straight. This decision will not only end the biggest spam operation in history. It will deal a mortal wound to the online tracking-based advertising industry.”
The Court’s decision
Background
The questions answered by the Court today were posed by complainants coordinated by Enforce, a unit of the Irish Council for Civil Liberties (ICCL). The group of complainants includes: Dr Johnny Ryan of Enforce, Katarzyna Szymielewicz of the Panoptykon Foundation (Poland), Stichting Bits of Freedom (the Netherlands), Ligue des Droits Humains (Belgium), Dr Jef Ausloos, and Dr Pierre Dewitte. The ruling follows complaints about the insecurity of the online advertising “Real-Time Bidding” (RTB) system that Dr Ryan initiated in 2018.
On 2 February 2022 the Belgian Data Protection Authority, in agreement with 27 other EU data protection authorities, ruled that the “TCF” consent spam system is illegal.[3] This decision meant that the entire online advertising had unlawfully processed the data of everyone in Europe for years.
However, this was appealed at the Brussels Markets Court. First, IAB Europe appealed the substance of the decision, and the complainants appealed against part of its implementation. Questions that the complainants proposed were referred by the Brussels Markets Court to the European Court of Justice in September 2023.
The Brussels Markets Court can now proceed to rule on the matter with certainty that IAB Europe is indeed responsible, and that the data concerned are protected by the GDPR.
We wish to thank our lawyers, Frederic Debusseré and Ruben Roex of Timelex.
We are reading the decision in detail, and will publish our more detailed analysis at a later point.
Full decision here
Contact
For media queries: taragrace.connolly@iccl.ie +353 (0) 87 4157162
Notes
[1] Europe’s Hidden Security Crisis, ICCL, 2023 (URL: https://www.iccl.ie/digital-data/europes-hidden-security-crisis/), p. 8.
[2] Europe’s Hidden Security Crisis, ICCL, 2023 (URL: https://www.iccl.ie/digital-data/europes-hidden-security-crisis/), p. 6.
[3] https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-21-2022.pdf