When the trade body for online advertising was found in breach of the General Data Protection Regulation (GDPR) by the Belgian Data Protection Authority (APD) last month, it was not the fine of 250,000 euros (then-U.S. $286,000) that stung the most.

According to the chief executive of the European arm of the Interactive Advertising Bureau (IAB), Townsend Feehan, it was “grossly unfair” that “a small body like ours should bear legal responsibility for the data processing activities of an entire industry.”

The crux of the problem is the APD considers the IAB a data controller—therefore, directly accountable under the GDPR for how companies use its framework when carrying out digital marketing.

“It’s unbelievable that we, as a standard-setting organization, have been fined under the very regulation that we are trying to make an entire industry compliant with.”

Townsend Feehan, CEO, IAB Europe

The IAB’s Transparency and Consent Framework (TCF)—the de facto standard for the adtech industry—is meant to be a GDPR-compliant way for companies to use and profile customers’ personal data so they can target customers with more specific advertising and digital content based on their preferences.

Big Tech firms Amazon and Google are among hundreds of companies globally that have signed up to it.

The APD believes the framework fails to comply with the GDPR because it does not establish a proper legal basis for processing personal data; fails to properly inform users how their data will be used and what they might be consenting to; and provides users with little choice other than to accept or reject a website’s terms.

Experts have queried the APD’s approach, with some suggesting an enforcement action was unnecessary.

“A guidance note forcing the IAB to change the framework in practice would have been sufficient,” said one source. “Why hit a standard-setter with a fine and legal expenses when you can just get it to change the standard?”

The ruling that the IAB is a joint data controller is a wide interpretation under the GDPR by the APD, according to legal and data experts. Some observers believe there could be two important ramifications from the decision:

  1. More companies generally—and not just those involved in adtech—could be classed as data controllers.
  2. Not all data protection authorities (DPAs) are likely to see the case the same way as the APD, meaning some regulators might take different enforcement approaches.

Feehan said in a Feb. 11 press release that IAB had “no choice but to appeal.” The appeal was lodged March 4.

“It’s unbelievable that we, as a standard-setting organization, have been fined under the very regulation that we are trying to make an entire industry compliant with,” she told Compliance Week.

On the plus side, the APD has not said the TCF needs to be scrapped.

“It is more a case that we need to add bits to it and make corrective measures to satisfy the APD,” said Feehan, who added the IAB “is confident we can get a workable solution in the timeframe.”

The IAB has until the beginning of April to come up with an action plan as to how it can change the TCF to make it compliant and a further six months to implement it. The company is concerned that even if the APD does give the plan the go-ahead, other DPAs might subsequently challenge it either during the implementation stage or take enforcement action after a revised framework is in place.

“We have no way of knowing whether the remedies we suggest to the APD will satisfy other European DPAs,” said Feehan. “One of our biggest concerns is we could spend a lot of time and effort consulting on changes with vendors to revise the framework and then find while the APD is OK with what we’ve done, another data regulator raises different objections and begins another investigation.”

Law firm Hogan Lovells pointed out while the APD’s decision was against the IAB’s use of the TCF—rather than the TCF itself—the Dutch DPA initially took a more strident view, saying that as the framework violates the GDPR, companies should stop using it immediately. The Danish DPA took a similar line.

Other agencies have remained silent.

“There appears to be little coordination among DPAs about how complaints are investigated and also a lack of consistency and transparency about whether they agree with the outcomes,” said Feehan.