16 October 2020
The Belgian Data Protection Authority (APD-GBA) has found serious GDPR infringements in the system Google and others use to legitimise online tracking. The system behind nearly all of the consent messages that pop up on screens in Europe has been found to infringe the GDPR. The APD-GBA is the lead enforcer on this issue for the EU.
The system is known as the “Transparency & Consent Framework (TCF)”. It was introduced by the tracking industry’s standards body, the Interactive Advertising Bureau (IAB) as an attempt to convince enforcers that online advertising’s controversial “Real-Time Bidding” (RTB) system was compliant with the GDPR. Google started to use the TCF this year.
But the IAB’s system allows companies to swap sensitive information about people, even when this has not been authorised. According to the Belgian Data Protection Authority’s Inspectorate Service,
“IAB Europe’s approach demonstrates that it neglects the risks that would impact on the rights and freedoms of data subjects”.
RTB operates behind the scenes on websites and apps. It constantly broadcasts the private things that people do and watch online to tracking companies. It also tells them where we are in the real world. There is no way of limiting what then happens to any of these data.
Europe’s RTB advertising market was worth €6.7bn in 2019. There is no estimate of the market value of personal data gathered through the RTB system. However, publishers have been increasingly worried about the theft of their audiences through the RTB system.
According to the Belgian Data Protection Authority’s Inspectorate Service, the IAB does not provide adequate controls for the processing of the most intimate data, which the GDPR calls “special category” data. Last month the Irish Council for Civil Liberties revealed that RTB data was used to profile LGBT+ people to influence a national election, and that RTB data had been used to profile victims of incest and sexual abuse.
The Belgian findings come as part of a campaign of GDPR complaints against the RTB data breach launched two years ago by Dr Johnny Ryan of the Irish Council for Civil Liberties, who was then a tech executive. He said:
“the pop-ups that plague us tens of times a day were an attempt to paint a thin legal veneer over the vast data breach at the heart of the behavioural advertising system. The Belgian Data Protection Authority is rightly peeling this veneer off, and exposing massive illegality in online behavioural advertising”.
United States
The IAB offers legal guidance to the global tracking industry. In October it began to market a system based on the TCF for California’s new privacy law, the CCPA. In August, it launched the IAB Privacy Lab, to lobby lawmakers and produce variants of the TCF for regional laws.
But the Belgian privacy watchdog has now found that even the privacy policy on the IAB’s own website infringes the GDPR, and that the IAB has failed to appoint a data protection officer.
Pierre Dewitte, of the University of Leuven, a complainant, said
“the findings about the IAB’s poor internal GDPR compliance show its lack of expertise, or interest, in the most elementary aspects of data protection and privacy law”.
The Belgian authority’s report says “the Inspection Service believes that IAB Europe is trying to avoid its liability to the GDPR, constituting an aggravating circumstance”.
Ravi Naik, solicitor who worked on the original complaints, said
“These findings are damning and overdue. As the standard setters, the IAB is responsible for breaches of the GDPR. Their supervisory authority has rightly found that the IAB “neglects” the risks to data subjects. The IAB’s responsibility now is to stop these breaches”.
The Belgian Data Protection Authority’s Inspectorate Service has forwarded its findings to the Litigation Chamber, and action will be taken in early 2021.
Dr Jef Ausloos, of University of Amsterdam, a complaint, said
“I am happy to see a data protection authority resolve to take on the tracking industry. This may be the first step in taking down surveillance capitalism”.
Who is involved in the RTB campaign?
There are 22 RTB complainants, individuals and organisations, in 16 EU Member States. They are Dr Johnny Ryan, Senior Fellow of the Irish Council for Civil Liberties; Jim Killock Executive Director of the Open Rights Group; Dr Michael Veale of the Turing Institute; Katarzyna Szymielewicz, CEO of the Panoptykon Foundation; Evelyn Austin, Director of Bits of Freedom; Gemma Galdon Clavell, CEO of the Eticas Foundation; Jose Belo; Dr Jef Ausloos of the University of Amsterdam; Pierre Dewitte of the University of Leuven; Liberties.eu; the Society for Civil Rights; Digitale courage; Ligue des droits humains; Digitale Gesellschaft; Netzwerk Datenschutzexpertise; Deutsche Vereinigung für Datenschutz; the Italian Coalition for Civil Rights and Freedoms; the Bulgarian Helsinki Committee; the Association for the Defense of Human Rights in Romania; the Italian Coalition for Civil Rights and Freedoms; the Estonian Human Rights Centre; the Peace Institute.