For the viewers on slow motion, opening ad to watch in the European Union, here’s a new development on the long and winding road to long-overdue legal redress: Multiple grounds of appeal filed by the industry, IAB Europe, v finding of violation earlier this year against a self-proclaimed “best practice” framework for obtaining consent from web users to have their data processed for behavioral advertising was rejected by the Brussels Market Court of Appeal.
At the same time, legal issues have been taken to Europe’s highest court on a number of other grounds of appeal — meaning a tough ruling on a key component of adtech’s complex surveillance machine will be handed down in the coming years.
On a specific issue here is a “cross-industry” framework defined and promoted by IAB Europe and adopted by numerous publishers and advertisers to claim to obtain web users’ “consent” for ad tracking, but which critics argue amounts to sophisticated ‘compliance theatre’ – miming consent to circumvent EU privacy laws.
This consent tool, also known as the Transparency and Consent Framework (TCF), is at the heart of most of the annoying ad consent pop-ups that plague web users in the region – but it was found to be in breach of the General block data protection (GDPR) earlier this yearafter a lengthy investigation by the Belgian data protection authority, confirming what privacy and legal experts have been warning for years: that majority consent to ad tracking is a big fat lie.
The GDPR violations confirmed in the Belgian authority’s decision on TCF, back in February, cover basic principles such as the lawfulness of processing; fairness and transparency; processing security; privacy of personal data; and data protection by design and by default, among others.
IAB Europe itself has also breached the GDPR. And the online advertising industry body was given a strict deadline of six months to fix a whole list of violations – although TCF was allowed to continue to exist in the meantime (so the annoying pop-ups still haven’t gone away).
IAB Europe responded to the regulatory slap by firing its lawyers and filing an appeal – trying to overturn the Belgian DPA’s decision, arguing against it from a variety of angles, from claims of procedural unfairness to outright denials of its role or the technologies the steering wheel infringes all EU laws.
Meanwhile, in further denial of an existential privacy problem with ad tracking, the body said it plans to push and present the TCF as a “transnational code of conduct,” apparently eyeing it. grafting “compliance” with US regulatory requirements (such as California’s CCPA). (An associated US-based ad tech body, the IAB Tech Lab, published this summer a draft of a replacement “global” framework called “Global Privacy Platform,” which claims to “rationalize[es] signaling standards for technical privacy and data protection in a single framework and set of tools that can adapt to regulatory and commercial market requirements across channels’ — but which critics warn that it simply repeats many of the same glaring flaws that got TCF into legal trouble in Europe, so the lack of reforming fervor is palpable.)
But how much the IAB stands to gain from denying the legal reality in the EU – where data protection is (at least on paper) comprehensive and privacy a fundamental right – is the big question.
In a first blow to his appeal against TCF’s GDPR repeal, a raft of procedural complaints have now been thrown.
Grounds for appeal?
Of the eight pleas on which the Brussels court decided at this stage of the appeal, five were found to be wholly without merit — with only two of the latter pleas deemed “partially well founded” as the Court governing puts it. (Those related to a finding that additional claims and complaints—centered on whether a mechanism in the IAB’s framework constituted personal data—were included in the post-hearing decision without “sufficient diligence.” Although the court emphasized that the authority would not have had to begin a whole new investigation, as the IAB claims, so this seems like a pretty small procedural victory.)
The other five grounds on which the court ruled at that stage — such as the IAB’s claim that the complaints were inadmissible or that the body’s inspection report was “incomplete and biased” — were all rejected.
However, there are more grounds filed by the IAB (the decision lists nineteen in total). And the appeal has now been suspended pending the response of the Court of Justice of the European Communities (CJEU) to legal questions relating to these grounds.
The questions referred centered on whether a user’s consent string transmitted through the TCF constituted personal data (the IAB argued that it did not, but the Belgian DPA decided that it did, as the appellants also argued); and whether the IAB, which presents itself as a modest industry standards body, is a joint data controller for the purposes of the TCF and the so-called “TC string” (again it claims not, but has been found by the body to be a joint controller).
“That the Court of Appeal in Brussels has taken our issues to the Court of Justice of the European Union shows the importance of this case,” said one of the original applicants, Dr Johnny Ryan, a senior fellow at Irish Council for Civil Liberties, in a statement. “Today’s decision is the next step in our efforts to end consent pop-ups that have plagued internet users in Europe for years. We now look forward to the answers from the Court of Justice of the European Communities and subsequently a decision on the merits of the Court of Appeal in Brussels.”
The EU Court of Justice may take several years to rule on these matters, but there is no way to appeal its decision. So the train has already left the station.
There will be — in relatively short order — a firm ruling from the court on key points such as whether an entity that creates and promotes an ad-tech infrastructure for mass surveillance and whose rules dictate the basic procedures of that tracking machine is able to avoid the full force of the Act for EU privacy, claiming to be just the head of a standards body! And about the IAB’s leading sleight of hand — when it claims that TC strings aren’t personal data and don’t link to individuals, so there’s no need for a legal basis to process them anyway — which would be quite a departure clause for behavioral ads from the law of the EU for data protection, if allowed to stand trial.
(The Belgian DPA’s response to this argument was to point out that the TCF associates the consent string with the user’s IP address, which is absolutely considered personal data under the GDPR; and that users of the tool can also identify users through other data; and that in fact, the whole point of the TC string is to identify the user.)
At this point, it’s worth refreshing your memory on how the GDPR defines personal data [with added emphasis ours]:
“personal data” means some information referring to an identified or identifiable a natural person (“data subject”); an identifiable natural person is one that can be identifieddirectly or indirectlyin particular by reference to an identifier like name, identification number, location data, online identifier or to one or more factors specific to that individual’s physical, physiological, genetic, mental, economic, cultural or social identity;
So now EU citizens, annoyed by countless illegal pop-ups, have to hold their breath for a decision by the Court of Justice of the EU. (But the best legal minds in Europe certainly wouldn’t need to think too long to call this mulligan.)
Next stop, performance?
In the meantime, the Belgian DPA could — and indeed should — resume enforcement of the original order, given enormous scale of the violations and risks of the fundamental rights of Europeans to allow illegal mass surveillance by out of control advertising technologies to continue unchecked.
Asked about his expectations for enforcement, Ryan told TechCrunch that he’s looking into whether the authority’s decision can now finally be implemented (a preliminary opinion of Belgium on TCFalso finding it in breach of the GDPR, dating back almost two full years at this point).
“The extension was until the decision of the market court. So it should be able to enforce it now,” he suggested, adding: “The tracking-based online advertising industry has to come to terms with the possibility that EU data protection law will actually be enforced.”
We also reached out to Belgian authorities and IAB Europe with questions, but neither had responded at press time.
IAB Europe publishes a statement on his website about the development, acknowledging what he called a “temporary solution” and the referral of questions to the EU Court of Justice – which he said he “welcomed”.
“The interpretation of the concepts of personal data and control covered by the APD [Belgian DPA] is unnecessarily broad from a consumer protection point of view and has significant negative implications for the development of open standards and codes of conduct envisaged in the GDPR,” Townsend Feehan, chief executive of IAB Europe, added in a canned comment. “This would place an unacceptable financial burden on host organizations, discouraging the development of these important compliance tools.”
IN statement On its website, the Belgian authority wrote that it “will now have to further analyze the decision before it can comment on its content” but said it was “already satisfied with this decision, which will further clarify key concepts of the GDPR, such as the definition of the term data controller and its applicability to framework designers’.
Hielke Hijmans, president of the DPA’s judicial chamber, added in a statement: “The IAB Europe case we ruled on in February has an impact that goes beyond Belgium. That is why we think it is good that it is being discussed at the European level, in the EU Court of Justice.”
The authority went on to write that its decision “made an important contribution to the protection of internet users’ privacy in Europe, through its analysis of the mechanism for recording users’ preferences for targeted online advertising”, further claiming: “It will raise awareness of online advertising and in particular about the mechanism behind consent to receive targeted advertising.’
The DPA statement added that Belgium would “discuss possible next steps with its EU colleagues”.
Which, well, sounds a bit like “watch this space”…