IAB Europe Says It's Expecting To Be Found In Breach of GDPR (techcrunch.com) 29
A flagship framework used by Google and scores of other advertisers for gathering claimed consent from web users for creepy ad targeting looks set to be found in breach of Europe's General Data Protection Regulation (GDPR). TechCrunch reports: A year ago the IAB Europe's self-styled Transparency and Consent Framework (TCF) was found to fail to comply with GDPR principles of transparency, fairness and accountability, and the lawfulness of processing in a preliminary report by the investigatory division of the Belgian data protection authority. The complaint then moved to the litigation chamber of the DPA -- and a whole year passed without a decision being issued, in keeping with the glacial pace of privacy enforcement against adtech in the region.
But the authority is now in the process of finalizing a draft ruling, according to a press statement put out by the IAB Europe today. And the verdict it's expecting is that the TCF breaches the GDPR. It will also find that the IAB Europe is itself in breach. Oopsy. The online advertising industry body looks to be seeking to get ahead of a nuclear finding of non-compliance, writing that the DPA "will apparently identify infringements of the GDPR by IAB Europe," and trying to further spin the finding as "fixable" within six months (it doesn't say how, however) -- while simultaneously implying the breach finding may not itself be fixed because other EU DPAs still need to weigh in on the decision as part of the GDPR's standard cooperation procedure (which applies to cross-border complaints).
In terms of timing, a final verdict on the investigation is still likely months off -- and may not emerge 'til deep into 2022. Appeals are also almost inevitable. But the tracking industry's problems are starting to look, well, appropriately sticky. In the short term, the IAB says it expects a draft ruling to be shared by Belgium with other EU DPAs in the next two to three weeks -- at which point they get 30 days to review it and potentially file objections. If DPAs don't agree with the lead authority's finding and can't agree among themselves, the European Data Protection Board may need to step in and take a binding decision -- such as happened in another cross-border case against WhatsApp (which led to a $267 million fine, a larger penalty that the lead DPA in that case had originally proposed).
But the authority is now in the process of finalizing a draft ruling, according to a press statement put out by the IAB Europe today. And the verdict it's expecting is that the TCF breaches the GDPR. It will also find that the IAB Europe is itself in breach. Oopsy. The online advertising industry body looks to be seeking to get ahead of a nuclear finding of non-compliance, writing that the DPA "will apparently identify infringements of the GDPR by IAB Europe," and trying to further spin the finding as "fixable" within six months (it doesn't say how, however) -- while simultaneously implying the breach finding may not itself be fixed because other EU DPAs still need to weigh in on the decision as part of the GDPR's standard cooperation procedure (which applies to cross-border complaints).
In terms of timing, a final verdict on the investigation is still likely months off -- and may not emerge 'til deep into 2022. Appeals are also almost inevitable. But the tracking industry's problems are starting to look, well, appropriately sticky. In the short term, the IAB says it expects a draft ruling to be shared by Belgium with other EU DPAs in the next two to three weeks -- at which point they get 30 days to review it and potentially file objections. If DPAs don't agree with the lead authority's finding and can't agree among themselves, the European Data Protection Board may need to step in and take a binding decision -- such as happened in another cross-border case against WhatsApp (which led to a $267 million fine, a larger penalty that the lead DPA in that case had originally proposed).