IAB Europe's GDPR probe moves forward in hearing with Belgian authority

IAB Europe held a hearing earlier this month with the Belgian data protection authority, MLex has learned, signalling progress in a probe into whether it’s infringing EU data protection rules with its "transparency and consent framework," used by web publishers for gathering consent to ad targeting.

The closed-door hearing, which took place on June 11, was held before the authority drafts its final decision, which would then be sent to other EU data protection authorities for review and comment.

It’s unclear when the Belgian authority will finish the draft decision and send it to its 26 peers. That procedure may start in September, meaning that a final decision could come as early as October, MLex understands.

At issue is IAB Europe’s transparency and consent framework, which is deployed on websites to ask users to accept or reject ad trackers — with the goal of helping publishers comply with the EU’s General Data Protection Regulation.

The Belgian authority’s investigation follows complaints against the use of personal data in the real-time bidding systems, where web users’ personal data are broadcast in a "bid request" to dozens or even hundreds of companies, the complainants said. This is the "most massive leakage of personal data recorded so far".

“That data is then passed to a vast ecosystem of data brokers and advertisers. Those third parties can then use that data in any way they determine, without the data subject having any say, knowledge or control over that subsequent use,” the complainants said.

In March, David Stevens, the president of the Belgian authority, said that IAB Europe will soon face a decision because the case is now with the watchdog’s litigation chamber.

In October, the authority’s inspection service found a number of alleged GDPR "compliance issues" with the consent framework managed by IAB Europe, according to activists.

IAB Europe rejected the preliminary findings, saying that it disagrees with the regulator's interpretation of the GDPR, in which the organization is a data controller in the context of publishers’ use of the framework, known as the TCF.

IAB Europe has called its TCF "the only GDPR consent solution built by the industry for the industry, creating a true industry-standard approach." It aims to help digital advertising companies comply with the GDPR and e-Privacy Directive "when processing personal data or accessing and/or storing information on a user’s device, such as cookies, advertising identifiers, device identifiers and other tracking technologies."

The Belgian inquiry stemmed from complaints that the TCF allows companies to exchange sensitive information about people even when this has not been authorized, and provides inadequate controls for the processing of sensitive personal data that occurs in the real-time bidding system for placing ads that is used by Google and other companies.