A flagship framework for gathering Internet users’ consent for targeting with behavioral ads — which is designed by ad industry body, the IAB Europe — fails to meet the required legal standards of data protection, according to findings by its EU data supervisor.
The Belgian DPA’s investigation follows complaints against the use of personal data in the real-time bidding (RTB) component of programmatic advertising which contend that a system of high velocity personal data trading is inherently incompatible with data security requirements baked into EU law.
The IAB Europe’s Transparency and Consent Framework (TCF) can be seen popping up all over the regional web, asking users to accept (or reject) ad trackers — with the stated aim of helping publishers comply with the EU’s data protection rules.
It was the ad industry standard’s body’s response to a major update to the bloc’s data protection rules, after the General Data Protection Regulation (GDPR) came into application in May 2018 — tightening standards around consent to process personal data and introducing supersized penalties for non-compliance — thereby cranking up the legal risk for the ad tracking industry.
The IAB Europe introduced the TCF in April 2018, saying at the time that it would “help the digital advertising ecosystem comply with obligations under the GDPR and ePrivacy Directive”.
The framework has been widely adopted, including by adtech giant, Google — which integrated it this August.
Beyond Europe, the IAB has also recently been pushing for a version of the same tool to be used for ‘compliance’ with California’s Consumer Privacy Act.
However the findings by the investigatory division of the Belgian data protection agency cast doubt on all that adoption — suggesting the framework is not fit for purpose.
The inspection service of the Belgium DPA makes a number of findings in a report reviewed by TechCrunch — including that the TCF fails to comply with GDPR principles of transparency, fairness and accountability, and also the lawfulness of processing.
It also finds that the TCF does not provide adequate rules for the processing of special category data (e.g. health information, political affiliation, sexual orientation etc) — yet does process that data.
There are further highly embarrassing findings for the IAB Europe, which the inspectorate found not to have appointed a Data Protection Officer, nor to have a register of its own internal data processing activities.
We’ve reached out to the IAB Europe for comment on the inspectorate’s findings.
A series of complaints against RTB have been filed across Europe over the past two years, starting in the UK and Ireland.
Dr Johnny Ryan, who filed the original RTB complaints — and is now a senior fellow at the Irish Council for Civil Liberties — told TechCrunch: “The TCF was an attempt by the tracking industry to put a veneer or quasi-legality over the massive data breach at the heart of the behavioral advertising and tracking industry and the Belgian DPA is now peeling that veneer off and exposing the illegality.”
Ryan has previously described the RTB issues as “the greatest data breach ever recorded”.
Last month he published another hair-raising dossier of evidence on how extensively and troublingly RTB leaks personal data — with findings including that a data broker used RTB to profile people with the aim of influencing the 2019 Polish Parliamentary Election by targeting LGBTQ+ people. Another data broker was found to be profiling and targeting Internet users in Ireland under categories including “Substance abuse”, “Diabetes,” “Chronic Pain” and “Sleep Disorders”.
In a statement, Ravi Naik, the solicitor who worked on the original RTB complaints, had this to say on the Belgian inspectorate’s findings: “These findings are damning and overdue. As the standard setters, the IAB is responsible for breaches of the GDPR. Their supervisory authority has rightly found that the IAB ‘neglects’ the risks to data subjects. The IAB’s responsibility now is to stop these breaches.”
Following the filing of RTB complaints, the UK’s data watchdog, the ICO, issued a warning about behavioural advertising in June 2019 — urging the industry to take note of the need to comply with data protection standards.
However the regulator has failed to follow up with any enforcement action — unless you count multiple mildly worded blog posts. Most recently it paused its (still ongoing) investigation into the issue because of the pandemic.
In another development last year, Ireland’s DPC opened an investigation into Google’s online Ad Exchange — looking into the lawful basis for its processing of personal data. But that investigation is one of scores that remain open on its desk. And the Irish regulator continues to face criticism over the length of time it’s taking to issue decisions on major cross-border GDPR cases pertaining to big tech.
Jef Ausloos, a postdoc researcher in data privacy at the University of Amsterdam — and one of the complainants in the Belgian case — told TechCrunch the move by the DPA puts pressure on other EU regulators to act, calling out what he described as “their complete, deer-in-the-headlights inaction“.
“I think we’ll see more of this in the coming months/year, i.e. other DPAs sick and tired, taking matters into their own hands — instead of waiting on the Irish,” he added.
“We are happy to finally see a data protection authority having the resolved to take on the online advertisement industry at its roots. This may be the first important step in taking down surveillance capitalism,” Ausloos also said in a statement.
There are still several steps to go before the Belgian DPA takes (any) action on the substance of its inspectorate’s report — with a number of steps outstanding in the regulatory process. We’ve reached out to the Belgian DPA for comment.
But, per the complainants, the inspectorate’s findings have been forwarded to the Litigation Chamber, and action is expected in early 2021. Which suggests privacy watchers in the EU might finally get to uphold their rights against the ad tracking industry/data industrial complex in the near future.
For publishers the message is a need to change how they monetize their content: Rights-respecting alternatives to creepy ads are possible (e.g. contextual ad targeting which does not use personal data).