Belgian DPA Investigates IAB Europe Framework, Concludes It Fails GDPR

In potentially landscape-shifting investigation, Belgium’s Data Protection Authority (“BDPA”) has determined that the  Interactive Advertising Bureau’s (“IAB”) framework for obtaining Internet users’ consent for targeting with behavioural ads  is noncompliant with the requirements of Europe’sGeneral Data Protection Regulation (“GDPR”). BDPA’s findings have been sent to the European Data Protection Board for action, which is scheduled to be taken in early 2021.

Those companies who have implemented IAB’s GDPR framework are now on notice that the framework is unlikely to pass regulatory muster, and those consent providers that  use the framework will likely face some challenging questions from their customers as to why they’ve recommended a solution prior to determining that it is allowable for GDPR purposes. Clym customers can rest easy as Clym’s leadership has delayed adopting the IAB’s framework until a determination as to its legality was made.

What Happened?

In April 2018, IAB developed its Transparency and Consent Framework (“TCF”), with the stated aim to help publishers comply with the GDPR. IAB stated that the TCF would help the digital advertising ecosystem comply with obligations under the GDPR and ePrivacy Directive. As noted above, the framework has been widely adopted by consent management providers

However, BDPA’s findings suggest the framework is not GDPR compliant. BDPA’s investigation was prompted by complaints concerning the use of personal data in the real-time bidding (“RTB”) component of programmatic advertising; privacy advocates contend that a system of high velocity personal data trading is inherently incompatible with GDPR’s requirements, including that the TCF fails to comply with GDPR principles of transparency, fairness and accountability, and also the lawfulness of processing. It also finds that the TCF does not provide adequate rules for the processing of special category data (e.g. health information, political affiliation, sexual orientation etc), yet does process that data. Europe’s RTB market was worth nearly $8 billion in 2019, which is one reason why the TCF was widely adopted as the revenues in play are enormous.

BDPA’s report also  excoriated IAB’s own approach to GDPR, as it does not have a Data Protection Officer, nor a register of its own internal data processing activities; its own privacy policy was also found to be lacking in a number of ways.

How Can Clym Help?

Clym has not implemented the TCF, so our customers are not affected, and while we aim to stay on top of regulations as they evolve, we won’t adopt unproven standards that jeopardize our customers’ compliance.

Clym provides a cost-effective, scalable and flexible platform to help comply with CCPA, GDPR, and other laws as they continue to change.  Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.