After a years-long process, data protection officials across the European Union have ruled that Europe’s ad tech industry has been operating unlawfully. The decision, handed down by Belgium’s APD (.PDF) and agreed by regulators across the EU, found that the system underpinning the industry violated a number of principles of the General Data Protection Regulations (GDPR). The Irish Council for Civil Liberties has declared victory in its protracted battle against the authority which administers much of the advertising industry on the continent: IAB Europe.
At the heart of this story is the use of the Transparency and Consent Framework (TCF), a standardized process to enable publishers to sell ad-space on their websites. This framework, set by IAB Europe, is meant to provide legal cover — in the form of those consent pop-ups which blight websites — enabling a silent, digital auction system known-as Real-Time Bidding (RTB). But both the nature of the consent given when you click a pop-up, and the data collected as part of the RTB process have now been deemed to violate the GDPR, which governs privacy rights in the bloc.
Back in December, I wrote a deep (deep) dive on this situation*, and the potential privacy violations that the RTB process caused. After all, ad-tech companies working across a number of different platforms can collect real data about you, marry that to your browsing habits and create a detailed portrait of your life, which is known as a TC String. Dr. Johnny Ryan, who lead the legal campaign on behalf of the ICCL, called this the “world’s biggest data breach,” since these Strings are broadcast online to a wide number of recipients without direct oversight.
The APD has ruled that any and all data collected as part of this Real-Time Bidding process must now be deleted. This could have fairly substantial implications for many big tech companies with their own ad businesses, including Google and Facebook, as well as big data companies. It may also have a large impact on many media platforms and publishers on the continent who will now need to address the fallout from the finding.
Regulators have also handed down an initial fine of €250,000 to IAB Europe and ordered the body to effectively rebuild the ad-tech framework it currently uses. This includes making the system GDPR compliant (if such a thing is possible) and appoint a dedicated Data Protection Officer. Until now, IAB Europe has maintained that it did not create any personal data, and said in December that it was a standards setter and trade association, rather than a data processor in its own right.
In its own statement, IAB Europe says that the ruling did not ban the use of Transparency and Consent Frameworks. It added that it is looking to reform the process and “submit the Framework for approval as a GDPR transnational Code of Conduct.” It has said, however, that it may launch a legal challenge to fight the accusation that it is a data controller, a decision it says will “have major unintended negative consequences going well beyond the digital advertising industry.”
* Honestly, even though the subject is dense, it’s very easy to read.