IAB Europe says it expects to be found in breach of GDPR

Is this the beginning of the end for the hated tracking cookie consent pop-up? A flagship framework used by Google and many other advertisers to collect internet users’ claimed consent for spooky ad targeting appears to violate the European General Data Protection Regulation (GDPR).

A year ago, the self-proclaimed Transparency and Consent Framework (TCF) of the IAB Europe was found not to comply with the principles of transparency, fairness and accountability of the GDPR and the lawfulness of the processing in a preliminary report by the Belgian data protection investigation division. authority.

The complaint was then transferred to the DPA’s litigation chamber – and an entire year went by without a decision being made, in keeping with the freezing pace of privacy enforcement against adtechs in the region. .

But the authority is now in the process of finalizing a draft decision, according to a press release issued today by IAB Europe. And the verdict he’s waiting for is that the TCF is in breach of the GDPR.

He will also find that the IAB Europe is itself in breach. Oopsy.

The online advertising industry body seeks to preempt a nuclear finding of non-compliance, writing that the DPA will “apparently identify GDPR breaches by IAB Europe”, and attempt to pass the finding as ” fixable “in six months (however, that doesn’t say how) – while simultaneously involving the statement of offense may not itself be corrected, as other EU DPAs have yet to weigh in on the decision in the part of the standard GDPR cooperation procedure (which applies to border complaints).

The preemptive statement (and its Friday afternoon schedule) is a lot like IAB Europe trying to both scramble and bury bad news and so calm the nerves of the tracking industry before the headlines. who claim that a flagship tool is illegal – something EU privacy activists have of course been saying for literally years.

In terms of timing, a final verdict on the investigation is still likely in months – and may not come out until 2022. Calls are also almost inevitable. But the issues in the tracking industry are starting to seem, well, thorny enough.

In the short term, the IAB says it expects a draft decision to be shared by Belgium with other EU DPAs within the next two to three weeks – they then have 30 days. to examine it and possibly file objections.

If the DPAs disagree with the lead authority’s conclusion and cannot come to an agreement among themselves, the European Data Protection Board may need to step in and make a binding decision, as is the case. ‘is produced in another cross-border case against WhatsApp (which resulted in a fine of $ 267 million, a larger penalty than that originally proposed by the main DPA in this case).

This GDPR cooperation mechanism can therefore make the procedures last for several more months.

The plaintiffs against IAB Europe and its TCF, meanwhile, told us they had neither seen nor received details of the DPA’s draft ruling.

It therefore seems rather insignificant that the advertising industry body had knowledge of an incoming decision before the other parties to the complaint.

But one of the plaintiffs, Johnny Ryan of the Irish Council for Civil Liberties, quickly issued his own press release, in which he wrote: “We won. The online advertising industry and its commercial body, ‘IAB Europe’, have deprived hundreds of millions of Europeans of their basic rights.

“IAB Europe designed the deceptive ‘consent’ pop-ups that appear on almost all European websites and apps (over 80%). This system is known as the “Transparency & Consent Framework” (TCF) of IAB Europe. These pop-ups claim control over how their data is used by the online advertising industry. But in fact, it doesn’t matter what people click.

The impending conclusion of illegality comes at an interesting time for the follow-up advertising industry with action underway in the European Parliament to push for an outright ban on behavioral advertising to be incorporated into incoming pan-European regulations for digital services – in favor of privacy – secure alternatives like contextual advertising.

The discovery that the flagship tool used by the tracking industry to claim ‘consent’ to behavioral ads does not work legally under EU law will surely amplify cleanup calls by banning the practice altogether.

According to IAB Europe, the Belgian DPA’s draft decision will find that this is a data controller for the TCF “TC Strings”, aka “the digital signals created on websites to capture choices of data subjects regarding the processing of their personal data for digital advertising, content and measurement ”, as he puts it.

(Or – in Ryan’s words – “the identifying code created about a person, based on the apps they use and websites they visit, and what they click on in pop-ups from consent.”)

He will also find out that the IAB Europe is a “joint controller” for the TC chains that are used in OpenRTB (Real-Time Bidding) – meaning that the industry body will have a series of risky new responsibilities related to the data processing around programmatic behavioral advertising. (with many legal responsibilities and the risk of hefty fines if they fail to meet GDPR requirements such as privacy by design and by default; specific, informed, and freely given consent; and appropriate security encompassing data from people).

Here’s Ryan again, briefly outlining the side case against RTB:

For almost four years, websites and apps have plagued Europeans with this “consent” spam. But our evidence shows that IAB Europe knew that conventional tracking-based advertising was “incompatible with consent under GDPR” before launching the consent system.

Indeed, the leading tracking-based advertising system called “Real-Time Bidding” (RTB) broadcasts the behavior of Internet users and their actual locations to thousands of businesses, billions of times a day. RTB is the biggest data breach on record. There is no way to protect the data in this self-service. (We are also arguing against RTB in Hamburg.)

In a proceeding initiated by a group of complainants coordinated by the Irish Civil Liberties Council, the Belgian Data Protection Authority is set to adopt a draft decision which will conclude that its ‘consent’ pop-up system IAB Europe violates the GDPR, confirming our arguments over several years.

The IAB Europe twist in trying to shirk responsibility for protecting people’s data is to try and spread the blame elsewhere – claiming it didn’t see itself as a data controller “based on directives from other DPAs so far, “among other apologies.

“As a result, it naturally failed to fulfill certain obligations incumbent on data controllers under the regulation,” continues IAB Europe, carefully avoiding apologies.

(Here is Ryan’s quote: “IAB Europe is jointly responsible and liable with thousands of online advertising agencies when personal data is released in RTB data free for all. IAB Europe has tried to deny it.”)

Instead of apologizing, IAB Europe is devoting its energy to suggesting that there will be an easy way to resolve the tracking industry’s legality issue, writing: “The draft decision will require that the IAB Europe is working with ODA to ensure that these obligations are met. “

Making more soothing noises in the market, he also describes himself as “optimistic” that the TCF can be corrected.

But hey, that would say not?

The online advertising industry body has previously denied that there have been any prosecutions against TCF or RTB’s use of people’s data.

So, well, his record here shouldn’t inspire confidence.

“Google and the entire tracking industry rely on IAB Europe’s consent system, which will now be deemed illegal,” Ryan added in a statement. “IAB Europe has created a bogus consent system that spams everyone, every day, and does no more than give thin legal cover to the massive data breach at the heart of online advertising. We hope that the decision of the Belgian Data Protection Authority will finally force the online advertising sector to reform.

Another plaintiff in the case, Jef Ausloos, postdoctoral researcher in data privacy at the University of Amsterdam, suggests that the IAB Europe statement is an attempt to sow doubt among other DPAs in the EU – and called his claim that the identification codes used for targeted advertising are not personal data “absurd”.

He also described the Belgian discovery as “only the very beginning of the process as I see it”, adding: “We have come a long way already but, anyway, it will still take some time.”

At the time of writing this report, Belgian ODA had not responded to our request for confirmation of an imminent draft decision.

A spokesperson for IAB Europe said she had “only been informed of the main conclusions of the draft decision”. She did not specify how she obtained the information before the complainants. (Update: We asked if the information came from the Belgian DPA and they said “yes, that’s correct.”)

Source link

About Christian M.

Check Also

What happened during the Pope’s trip to Greece

Migrants in the burnt-out Moria refugee camp on the Greek island of Lesvos in September …