The Belgian Data Protection Authority fined IAB Europe 250,000 euros Wednesday, ruling its Transparency and Consent Framework, used by much of the advertising industry in the European Union, does not comply with several EU General Data Protection Regulation provisions.
Through data processing under the TCF, which “facilitates the management of users’ preferences for online personalised advertising,” the DPA found IAB Europe acts as a data controller and can be held responsible for potential GDPR violations. The authority also ruled IAB Europe did not establish a legal basis for processing and failed to appoint a data protection officer, conduct a data protection impact assessment, or maintain a register of processing activities. The DPA also argued it is difficult for users to “maintain control over their personal data” under the framework, as the information provided is “too generic and vague to allow users to understand the nature and scope of the processing.”
The DPA’s Litigation Chamber imposed “serious sanctions … because the TCF may lead to a loss of control of their personal information by large groups of citizens.” It gave IAB Europe two months to present an action plan that brings the current version of the Transparency and Consent Framework into compliance.
IAB Europe was also ordered to…
IAB Europe’s advertising bidding model uses personal data, EU court rules
After clarification from Luxembourg, the Belgian Court of Appeal will now rule on the case…