IAB Europe fined $286K under GDPR for data processing violations

The penalty under the General Data Protection Regulation is the second largest to be handed down in Belgium since the law took effect in May 2018, according to the GDPR Enforcement Tracker. The DPA consulted with other European Union countries under the cooperation mechanism (“one-stop shop”) of the GDPR in reaching its determination on a punishment.

“Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one,” said David Stevens, chairman of the Belgium DPA, in a press release. “… Online privacy and the fight against too intrusive forms of advertising is an important priority for us.”

IAB Europe in November released a statement acknowledging it expected to be fined under the GDPR in Belgium regarding the TCF. The framework is designed to “help all parties in the digital advertising chain ensure that they comply with the EU’s GDPR and ePrivacy Directive when processing personal data or accessing and/or storing information on a user’s device, such as cookies, advertising identifiers, device identifiers, and other tracking technologies,” IAB Europe stated on its website.

Key to the case was dispute over whether IAB Europe is a data controller for the TCF’s digital signals that capture data subjects’ choices about the processing of their personal data for digital advertising, content, and measurement. While the company believes it is not, the DPA’s ruling determined it is and is therefore liable for the following GDPR infringements:

• Failing to establish a legal basis for the processing of user preferences and legal grounds offered by the TCF for subsequent processing of such data by adtech vendors;
• Providing information in a format too vague for users to understand the nature and scope of the processing, making it difficult to maintain control of their personal data;
• Failing to ensure the effective exercise of data subject rights as well as monitoring the validity and integrity of users’ choices; and
• Failing to keep a register of processing activities, appoint a data protection officer, and conduct a data protection impact assessment.

“We reject the finding that we are a data controller in the context of the TCF,” said IAB Europe in a statement. “We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.”

The DPA said IAB Europe has two months to present an action plan to bring its activities into compliance. The company is required to establish “a valid legal basis for the processing and dissemination of users’ preferences within the context of the TCF, as well as the prohibition of the use of legitimate interest as a basis for the processing of personal data by organizations participating in the TCF” and create strict vetting procedures for organizations seeking to participate in the TCF to ensure they are GDPR compliant.

“[O]ur decision today will have a major impact on the protection of the personal data of internet users,” stated Hielke Hijmans, chairman of the litigation chamber of the DPA. “Order must be restored in the TCF system so that users can regain control over their data.”

Editor’s note: IAB Europe on Feb. 11 announced it would appeal the Belgian DPA’s ruling.