For those watching the slow motion shows surveillance ads in the European Union, this is a new development on the long and winding road to long overdue legal reckoning: Multiple grounds for appeal by industry body, IAB Europe, against one detect violations Earlier this year, against a self-proclaimed “best practice” framework for obtaining consent from web users for their data to be processed for behavioral advertising, was rejected by the Brussels Market Court of Appeal. .
At the same time, legal questions have been moved to Europe’s top court regarding several other grounds of appeal – meaning a hard ruling will be made against a key component of the ministry. adtech’s sophisticated surveillance machine in the years to come.
At issue here is a “cross-industry” framework outlined and promoted by IAB Europe, and appreciated by publishers and advertisers to declare that they are getting their consent. of web users for ad tracking but critics argue building ‘compliance theater’ – performing a pantomime of consent to address Coalition privacy laws Europe.
This consent tool, aka the Consent and Transparency Framework (TCF), underlies the majority of ad consent pop-ups that annoy web users in the region – but it was found to violate the bloc’s General Data Protection Regulation (GDPR) this early yearafter a lengthy investigation by the Belgian data protection authority, confirming what legal and privacy experts have warned for years: The majority agreeing to ad tracking is an understatement. big lie.
GDPR violations confirmed in the Belgian competent authority’s decision to the TCF, back February, including key principles such as legality of processing; fair and transparent; confidentiality of the processing; integrity of personal data; and data protection by design and default, among other things.
The European IAB itself was also found to have violated the GDPR. And the online advertising industry body was given a tough six-month deadline to fix a washed listing – even though the TCF was allowed to exist in that time (so the windows the annoying pop-up hasn’t gone away yet).
IAB Europe has responded to the regulatory punishment by firing its lawyers and filing an appeal – seeking to overturn the Belgian DPA’s decision by arguing against it from multiple angles , from claims of procedural inequity to outright denials that its role or the technologies it directs violate any EU law.
At the same time, in further denying the privacy issue that exists with ad tracking, the agency said it plans to highlight and submit the TCF as a “Transnational Code of Conduct.” seems to be getting attention. compounding ‘compliance’ with US regulatory requirements (such as California’s CCPA). (US-based ad technology agency, IAB Tech Lab, published a draft “global” alternative framework this summer, called “Global privacy platform“, which it claims“ streamlin[es] technical privacy and data protection signaling standards into a single schema and a set of tools that can be adapted to commercial and regulatory market needs across channels” – but Critics warn just repeating many of the same glaring flaws that brought TCF into legal hot water in Europe, so a lack of reform enthusiasm is evident.)
But how many kilometers the IAB can gain from negating the legal reality in the EU – where data protection (at least on paper) is comprehensive and privacy is a fundamental right – is a big question.
In the first blow to the TCF’s call against repeal of GDPR, a series of its procedural rules have now been rolled out.
Grounds for appeal?
Of the eight grounds decided by the Brussels court at this point in the appeal, five were found to be completely unfounded – only the last two were deemed “partially well-founded”, as Court rule put it. (Those concerns a finding that additional allegations and complaints – focusing on whether a mechanism within the framework of the IAB constitutes personal data – were included in the following decision) hearing without “adequate due diligence.” Although the court stressed that the competent authority would not have been able to open an entirely new investigation, as the IAB argued, this appears to be as a rather small procedural victory.)
Five other grounds the court decided at this stage – such as the IAB’s assertion that the claims were unacceptable or the Authority’s Inspection Report “incomplete and biased” ” – were all rejected.
However, there are still more grounds laid down by the IAB (the ruling lists nineteen in all). And the appeal has now been suspended pending the Court of Justice (CJEU) to answer legal questions regarding these grounds.
The questions in question focused on whether each user’s chain of consent passed through the TCF constitutes personal data (the IAB argued not but the Belgian DPA decided that, as those in question). claim also argued); and whether or not the IAB, which considers itself a modest industry standards body, is the general data control body for the purposes of TCF and the so-called “TC chain” (again, it is) argument is not but it has been found by the authority to be a general controller).
“The fact that the Brussels Court of Appeal has referred our question to the European Court of Justice shows the importance of this case,” said one of the original complainants, Dr Johnny Ryan, senior member in Irish Civil Liberties Council, in a statement. “Today’s ruling is the next step in our efforts to end consent pop-ups that have been harassing Internet users in Europe for years. We now expect an answer from the European Court of Justice and then a ruling on the merits of the Brussels Court of Appeal.”
The CJEU could take a few years to reach a ruling on these questions but there is no roadmap for appeals about what it decides. So now the train has left the station.
There will be – in pretty brief order – there will be a tough ruling from the court on key points like whether an entity invents and promotes mass surveillance ad technology infrastructure and can rules governing the core processes of this tracker, can avoid the full force of the European Union Privacy Law declaring it just a standards body! And on top of the IAB – as it claims TC strings are not personal data and are not linked to individuals there is no need for a legal basis to process them anyway – this would be quite easy-to-understand- terms of advertising conduct under European Union data protection law if the court allows.
(The Belgian DPA’s response to that argument was to point out that the TCF links the consent chain to the user’s IP address, which is strictly treated as personal data under GDPR; and the user of the tool as well. it is possible to identify the user through other data; and indeed, the whole point of the TC chain is to identify the user.)
At this point it pays to refresh the memory on how GDPR identifies personal data [with added emphasis ours]:
‘personal data’ means any information Related to one determine or identifiable natural people (‘data subject’); a natural person can be identified as a who can be identifieddirectly or Indirectespecially by reference to an identifier As name, identifier, location data, an online identifier or to one or more factors that characterize the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
So now EU citizens vexed by countless illegal pop-ups must hold their breath at the CJEU ruling. (But the best legal minds in Europe certainly wouldn’t have to think too long to call out this scammer.)
Next stop, execute?
Meanwhile, the Belgian DPA can – and really should – restart the execution of the original command, provided that large scale of violations and risk to the fundamental rights of Europeans to permit illegal mass surveillance by adtech out of control to continue unchecking.
When asked about his expectations for enforcement, Ryan told TechCrunch that he’s looking into whether the final authority’s decision could be applied (a. Belgium’s preliminary ruling on TCFalso found it violated the GDPR, dating back almost two years at this point).
“The extension is until the decision of the Market Court. So it should be applicable now,” he suggested, adding: “The tracking-based online advertising industry must regulate itself to be able to enforce European Union data protection laws. Europe. “
We have also reached out to the Belgian authorities and IAB Europe with questions – but neither of them have responded at press time.
IAB Europe posted a statement posted on its website about the developments, acknowledging what it referred to as an “interim ruling” and referring questions to the CJEU – which it said was “welcome”.
“The interpretation of the concepts of personal data and control applied by APD [Belgian DPA] in view of unnecessarily broad consumer protection and have significant negative impacts on the development of open standards and the Code of Conduct foreseen in GDPR,” said Townsend Feehan, Managing Director. by IAB Europe, added in a canned comment. “It would place an unacceptable financial burden on host organizations, discouraging the development of these important compliance tools.”
In one statement On its website, the Belgian authority writes that it is “now subject to further analysis of the ruling before it can present its content in more detail” but it claims to be “satisfied with the This decision will further clarify key concepts of GDPR such as the definition of the data controller concept and its applicability to framework designers”.
Hielke Hijmans, Chairman of the DPA Litigation Division, added in a statement: “The European IAB case, which we ruled in February, has an impact far beyond Belgium. That is why we think it is a good thing that it is being discussed at the European level, at the EU Court of Justice”.
The agency went on to write that its decision has “made an important contribution to the protection of the privacy of Internet users in Europe, through the analysis of the mechanism for recording users’ preferences for online advertising.” targeted”, argues further: “It will raise awareness about online advertising and especially about the mechanism behind consent to receive targeted advertising.”
The DPA statement added that Belgium would “discuss possible next steps with its EU partners”.
Which, well, sounds a bit like ‘watch this space’…