Belgium, GDPR Superpower, About to Rule Leading Ad Tracking Framework is Illegal

Posted on Nov 11, 2021 by Glyn Moody

This blog’s posts can often seem a depressing series of stories about privacy loss. But there are some major fightbacks happening in the background, many of which require the slow grinding through bureaucratic and legal processes. The main framework for these is the EU’s General Data Protection Regulation (GDPR), whose impact reaches far beyond Europe. As you might expect, authorities in the larger EU nations such as Germany and France play an important role in helping to defend privacy using the GDPR. What is more surprising perhaps, is the way that Belgium, a country better-known for its love of chocolate than its love of data protection, has emerged as a GDPR superpower.

Back in 2017, Belgium was one of three EU countries that ruled Facebook was breaking their privacy laws. Last year it emerged that Beligum was investigating the real-time bidding (RTB) process that lies at the heart of most online advertising today. The focus of that investigation was something called the Transparency and Consent Framework (TCF) from the leading digital advertising group IAB Europe, which describes its mission as “to lead political representation and promote industry collaboration to deliver frameworks, standards and industry programmes that enable business to thrive in the European market”.

As for the TCF, it “creates an environment where website publishers can tell visitors what data is being collected and how their website and the companies they partner with intend to use it.” IAB Europe says that the TCF is “the only GDPR consent solution built by the industry for the industry, creating a true industry-standard approach.” The TCF has been hugely successful, and is very widely used within the digital advertising world. That makes the following release from IAB Europe about a draft ruling of the Belgian Data Protection Authority (also known as the APD, from its French name “Autorité de protection des données”) following its investigation of the TCF framework, of great significance. IAB Europe writes:

The draft ruling will apparently identify infringements of the GDPR by IAB Europe, but it will also find that those infringements should be capable of being remedied within six months following the issuing of the final ruling, in a process that would involve the APD overseeing the execution of an agreed action plan by IAB Europe.

For obvious reasons, IAB Europe wishes to minimize the impact that this decision is likely to have. But the Irish Council for Civil Liberties (ICCL) takes a rather different view:

We have won. The online advertising industry and its trade body, “IAB Europe”, have been found to have deprived hundreds of millions of Europeans of their fundamental rights.

IAB Europe designed the misleading “consent” pop-ups that feature on almost all (80%+) European websites and apps. That system is known as IAB Europe’s “Transparency & Consent Framework” (TCF). These popups purport to give people control over how their data are used by the online advertising industry.

The problem is that the RTB system constantly sends out personal data to potential advertisers in huge quantities, as described in detail on this blog a year ago. The person behind the ICCL research discussed there, and Senior Fellow at the ICCL, Johnny Ryan, is quoted as saying about the draft decision of the Belgian data protection authority:

“Google and the entire tracking industry relies on IAB Europe’s consent system, which will now be found to be illegal”, said Dr Johnny Ryan of ICCL. … “We hope the decision of the Belgian Data Protection Authority will finally force the online advertising industry to reform”.

It’s worth pointing out that this is only a draft decision, so details may change. Moreover, as the IAB Europe rightly notes, there’s plenty of bureaucracy before the ruling is finalized. First, the draft will be shared with the other national data protection authorities across the EU. They will then have 30 days to review it, and presumably comment on it. If for any reason they are not happy with it – for example, if they want something stronger, as has happened before – then the European Data Protection Board may be asked to make a binding decision. Even then, it’s unlikely that things will be final. Given the importance of this ruling, it seems almost certain that IAB Europe will appeal against it. So we are looking at many months, if not years, of further discussions.

Nonetheless, as Ryan says, this would be a huge “win” for privacy if it all goes through. The RTB system is central to the way most advertising is sold online, and IAB Europe’s TCF is key to making that happen in the EU. Without the TCF, it will be hard, maybe impossible, to continue with RTB under the GDPR. That’s definitely a desirable outcome for privacy, but there are other reasons for dropping the current approach. The opacity of the RTB system allows Google to make excessive profits, because it’s hard for other players in the ad world to track exactly where the money goes.

Alongside the battle over the TCF, IAB Europe is fighting against the possibility that the EU might ban or restrict micro-targeted ads in Europe as part of the proposed Digital Services Act, with a new campaign entitled “No Easy Wins“. But moving to contextual advertising is just that: an easy win. It allows targeted advertising to take place while preserving people’s privacy, and has no need of what may soon be illegal frameworks like the TCF. Who could possibly be against that?

Featured image by Zorro2212.