Google, Amazon, and the entire tracking industry relies on IAB Europe’s consent system, which has now been found to be illegal following complaints coordinated by ICCL. 

EU data protection authorities find that the consent popups that plagued Europeans for years are illegal. All data collected through them must be deleted. This decision impacts Google’s, Amazon’s and Microsoft’s online advertising businesses.

2 February 2022. In a decision of 2 February 2022, 28 EU data protection authorities, led by the Belgian Data Protection Authority as the leading supervisory authority in the GDPR’s one-stop-mechanism, found that the online advertising industry’s trade body “IAB Europe”  commits multiple violations of the GDPR in its processing of personal data in the context of its “Transparency and Consent Framework” (TCF) and the realtime bidding system OpenRTB.

The consent popup system known as the “Transparency & Consent Framework” (TCF) is on 80% of the European internet. The tracking industry claimed it was a measure to comply with the GDPR. Today, GDPR enforcers ruled that this consent spam has, in fact, deprived hundreds of millions of Europeans of their fundamental rights.

The findings:

The TCF consent system infringes the GDPR in the following ways:

•  Fails to ensure personal data are kept secure and confidential (Article 5(1)f, and 32 GDPR)
• Fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking (Article 5(1)a, and Article 6 GDPR)
• Fails to provide transparency about what will happen to people’s data (Article 12, 13, and 14 GDPR)
• Fails to implement measures to ensure that data processing is performed in accordance with the GDPR (Article 24 GDPR)
• Fails to respect the requirement for “data protection by design” (Article 25 GDPR)

The Belgian Data Protection Authority said IAB Europe “was aware of risks linked to non-compliance” and “was negligent”. It also found that IAB Europe had failed to honour its data protection obligations to maintain records of data processing (Article 30 GDPR), to conduct a data protection impact assessment (DPIA) (Article 35 GDPR), and to appoint a Data Protection Officer (Article 37 GDPR).

Citing the TCF’s “systematic deficiencies”, the Belgian Data Protection Authority noted that it “supports a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance of data subjects.”

All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.

These findings are the result of proceedings initiated by complainants at the Belgian Data Protection Authority, coordinated by the Irish Council for Civil Liberties. The group of complainants includes: Dr Johnny Ryan of the Irish Council for Civil Liberties, Katarzyna Szymielewicz of the Panoptykon Foundation (Poland), Stichting Bits of Freedom (the Netherlands), Ligue des Droits Humains (Belgium), Dr Jef Ausloos, and Dr Pierre Dewitte. The Belgian procedure follows complaints about the insecurity of the online advertising “Real-Time Bidding” (RTB) system that Dr Ryan initiated in 2018.

The decision was made by the Belgian Data Protection Authority in agreement with 27 other EU data protection authorities, and is immediately binding and enforceable across the European Union under the GDPR’ “one stop shop” mechanism.

“This has been a long battle”, said Dr Johnny Ryan of the Irish Council for Civil Liberties. “Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies”.

We wish to thank our lawyers, Frederic Debusseré and Ruben Roex of Timelex.

We are reading the decision in detail, and will publish our more detailed analysis at a later point.

Full decision here:

https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-21-2022-english.pdf