Google, Amazon, and the entire tracking industry relies on IAB Europe’s consent system, which has now been found to be illegal following complaints coordinated by ICCL.
EU data protection authorities find that the consent popups that plagued Europeans for years are illegal. All data collected through them must be deleted. This decision impacts Google’s, Amazon’s and Microsoft’s online advertising businesses.
2 February 2022. (Updated on 5 February with additional detail and infringements)
In a decision of 2 February 2022, 28 EU data protection authorities, led by the Belgian Data Protection Authority as the leading supervisory authority in the GDPR’s one-stop-mechanism, found that the online advertising industry’s trade body “IAB Europe” commits multiple violations of the GDPR in its processing of personal data in the context of its “Transparency and Consent Framework” (TCF) and the Real-Time Bidding (RTB) system.
The consent popup system known as the “Transparency & Consent Framework” (TCF) is on 80% of the European internet. The tracking industry claimed it was a measure to comply with the GDPR. Today, GDPR enforcers ruled that this consent spam has, in fact, deprived hundreds of millions of Europeans of their fundamental rights.
The findings:
The TCF consent system was found to infringe the GDPR in the following ways:
- TCF fails to ensure personal data are kept secure and confidential (Article 5(1)f, and 32 GDPR)
- TCF fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by online tracking-based "Real-Time Bidding" advertising (Article 5(1)a, and Article 6 GDPR)
- TCF fails to provide transparency about what will happen to people’s data (Article 12, 13, and 14 GDPR)
- TCF fails to implement measures to ensure that data processing is performed in accordance with the GDPR (Article 24 GDPR)
- TCF fails to respect the requirement for data protection by design (Article 25 GDPR)
- International transfers of the data do not provide adequate protection (Article 44, Article 45, Article 46, Article 47, Article 48, Article 49).[1]
IAB Europe negligent
The decision says IAB Europe “was aware of risks linked to non-compliance”[2] and “was negligent”.[3]
IAB Europe was also found to have failed to fulfil its internal data protection obligations:
- IAB Europe's failure to maintain records of data processing (Article 30 GDPR)
- IAB Europe's failure to conduct a data protection impact assessment (Article 35 GDPR)
- IAB Europe's failure to appoint a Data Protection Officer (Article 37 GDPR)
Real-Time Bidding
Citing the TCF’s “systematic deficiencies”,[4] the decision found that "the processing operations carried out on the basis of the OpenRTB protocol are not in accordance with the basic principles of purpose limitation and data minimisation".[5]
In addition, it stated:
"the TC String plays a pivotal role in the current architecture of the OpenRTB system. Thereby, the TC String supports a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance of data subjects."[6]
Further, “consent is not a valid basis for the processing operations in the OpenRTB facilitated by the TCF”.[7]
Deletion of data
All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.
The decision said those who implement the TCF must “take the appropriate measures, in line with Articles 24 and 25 GDPR, ensuring that personal data that has been collected in breach of Articles 5 and 6 GDPR is no longer processed and removed accordingly”.[7][8]
Background
These findings are the result of proceedings initiated by complainants at the Belgian Data Protection Authority, coordinated by the Irish Council for Civil Liberties. The group of complainants includes: Dr Johnny Ryan of the Irish Council for Civil Liberties, Katarzyna Szymielewicz of the Panoptykon Foundation (Poland), Stichting Bits of Freedom (the Netherlands), Ligue des Droits Humains (Belgium), Dr Jef Ausloos, and Dr Pierre Dewitte. The Belgian procedure follows complaints about the insecurity of the online advertising “Real-Time Bidding” (RTB) system that Dr Ryan initiated in 2018.
The decision was made by the Belgian Data Protection Authority in agreement with 27 other EU data protection authorities, and is immediately binding and enforceable across the European Union under the GDPR’ “one stop shop” mechanism.
“This has been a long battle”, said Dr Johnny Ryan of the Irish Council for Civil Liberties. “Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies”.
We wish to thank our lawyers, Frederic Debusseré and Ruben Roex of Timelex.
We are reading the decision in detail, and will publish our more detailed analysis at a later point.
Full decision here:
Notes
[1] Paragraph 490 of decision.
[2] Paragraph 547 of decision.
[3] ibid.
[4] Paragraph 546 of decision.
[5] Paragraph 429 of decision.
[6] Paragraph 545 of decision.
[7] Paragraph 495 of decision.
[8] Paragraph 535 of decision.