This note summarizes findings of an investigation by the GDPR supervisory authority with responsibility for the IAB in Europe.
16 October 2020
The Belgian Data Protection Authority (APD-GBA) has conducted an investigation of the IAB and its Transparency and Consent Framework in response to our our complaints (there are now 22 complainants). It has found serious GDPR infringements. This has big implications.
The APD-GBA is the lead enforcer on this issue for the EU, so its findings are particularly significant. This note summarizes the findings.
Findings on TCF and RTB
The APD-GBA Inspectorate Service has agreed with our complaints, and concluded that the IAB Framework allows companies to swap sensitive information about people even when this has not been authorised. It reports that:
“IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects”.
In addition, the IAB Framework provides inadequate controls for the processing of intimate personal data that occurs in the RTB system:
“The TCF does not provide adequate rules for the processing of special categories of personal data. However, the OpenRTB standard, framed by IAB Europe’s TCF, does allow the processing of special categories of personal data”.
For an example of just how intimate RTB data can be, see the material I released last month that revealed that RTB data was used to profile LGBT+ people to influence a national election.
The APD-GBA also noted that
“the Inspection Service believes that IAB Europe is trying to avoid its liability to the GDPR, constituting an aggravating circumstance”.
United States and IAB Europe’s internal compliance failures
The APD-GBA report also presents findings that have implications for that organization outside Europe. The IAB, and IAB Europe, purport to offer legal guidance to the global tracking industry. In October the IAB began to market a system in the US that is based on IAB Europe’s Transparency and Consent Framework, and presented it as a compliance system for California’s new privacy law, the CCPA. In August, IAB Europe launched the IAB Privacy Lab together with IAB TechLab, to lobby lawmakers and produce variants of the IAB Framework for regional laws.
But the APD-GBA report makes clear that IAB Europe’s credentials on compliance are non-existent. It highlights elemental mistakes in its own GDPR compliance. First, IAB Europe’s own website has a privacy policy that infringes the GDPR. I filed a formal GDPR complaint about this in April 2019:
“The Inspectorate finds that IAB Europe has failed to fulfil its obligations under Article 12(1) of the GDPR and Articles 13 and 14 of the GDPR. … The information provided is incomplete, insufficient and therefore does not comply with the obligations laid down in Article 13 and 15 of the GDPR.”
In addition, the APD reports that IAB Europe failed in other basic GDPR compliance measures. It did not appoint a data protection officer, or maintain a registry of what it does with personal data, or have clearly defined controller/processor relationships with its own service providers.
What happens next
The APD-GBA Inspectorate Service has forwarded its findings to the APD-GBA Litigation Chamber, and both the complainants and the IAB will be heard. After that, action will be taken in early 2021.
The IAB “Framework” is used by Google and others to paint a thin legal veneer over the vast data breach at the heart of the behavioural advertising system. Now, the APD-GBA is peeling this veneer off.