The Belgian data protection authority scraps the “Transparency & Consent Framework 2.0” – what happens now?

The proceedings of the Belgian data protection authority APD against the online marketing industry association IAB Europe concerning the new “Transparency & Consent Framework” (TCF 2.0), which has been in use since 2020 (see our earlier update), have added another chapter: On 2 February, APD published its decision following an investigation against IAB Europe and after gathering input from the other European data protection authorities. The subject of these proceedings was the TCF 2.0’s compliance with the General Data Protection Regulation. This standard, which is used by the entire online marketing industry, is intended to enable businesses to collect and use online user data for advertising purposes, among other things, in a manner that complies with data protection laws.

What is the TCF 2.0?

The TCF 2.0 standardises the collection of user choices that are requested on websites and in apps via a Consent Management Platform (CMP, also known as a “cookie banner”). These user decisions are encoded and stored in a “TC string”, which is passed on to other businesses involved so that they know to what extent the user has given consent to the processing of their data for certain purposes or whether they have objected.

The CMP also stores a cookie on the user’s device. In the context of the TC string, the user is thus identifiable and their decision can be taken into account by participating businesses. The TCF 2.0 plays a central role in the architecture of today’s online marketing, as it expresses the user’s decision in relation to individual providers and various processing purposes such as the use of individual user profiles for advertising purposes.

What did the Belgian authority decide?

The decision states that the IAB Europe violated the GDPR in several respects when setting up the TCF 2.0, which raises fundamental questions for the further development of online marketing in Europe.

First, as a starting point, the APD found that IAB Europe should be considered as a joint controller with regard to the collection of users’ consents and objections through the TC string – this very point of the decision is, by the way, highly questionable. Using this as a starting point, the TCF 2.0 was held to violate the GDPR in the following ways:

  • ineffective consents, no sufficient legitimate interest: On the one hand, the TCF 2.0 does not obtain effective consents and, on the other hand, relies on legitimate interests that are insufficient due to the high risk of tracking-based “real-time bidding” advertising. In consequence, the legitimate interests of the data subjects outweigh the legitimate interests of the advertiserr.
  • lack of transparency: the information provided to users through the CMPs is too general and vague to allow data subjects to understand the nature and scope of the processing of their data, especially given the complexity of the TCF 2.0.
  • insufficient data security: Among other things, the TCF 2.0 does not take sufficient organisational and technical measures, does not guarantee data subjects effective exercise of their rights and does not sufficiently ensure compliance with user choices.
  • breach of documentation obligations: Finally, IAB Europe had not fulfilled its documentation obligations as a controller, such as keeping a register of processing activities, appointing a data protection officer and conducting a data protection impact assessment.

What does IAB Europe need to do now?

The Belgian authority has also imposed a fine of €250,000 on IAB Europe, as well as obligations aimed at bringing the current version of TCF 2.0 in compliance with the GDPR. These include (among others): 

  • ensuring a valid legal basis (i.e. effective consent) for the processing and sharing of user data under the TCF 2.0, and the prohibition of legitimate interest as a legal basis for the processing of personal data by organisations participating in the TCF;
  • a more rigorous review of participating businesses to ensure that they comply with the requirements of the GDPR.

It can therefore be assumed that IAB Europe will present a revised version of the industry standard in a few months’ time and submit it to the Belgian authority for review – a “TCF 3.0”, so to speak.

What does the decision mean for the online marketing industry?

First of all, it should be noted that the APD’s decision is directed against the current legal structure of the TCF 2.0 and not against the underlying principle (participation of vendors in the OpenRTB process). Furthermore, the decision is only directed against IAB Europe itself and not against the publishers and marketing companies (vendors) using the TCF 2.0. In the medium term, two major developments can be expected for the online marketing industry:

  1. Even more information for users: The TCF 2.0 will now need to be revised so that the information provided to data subjects via the CMP is more detailed and comprehensive about the nature and scope of data collection and processing by the businesses involved in the TCF 2.0 before users make a consent decision.
  2. Consent as the only legal basis: A further consequence of this decision – should it be upheld – would be that it may become difficult for businesses to rely on legitimate interest as the legal basis for processing personal data. The only possible legal basis would then be the consent of the data subject. The extent to which this blanket rejection of a legitimate interest as a legal basis is really compatible with the GDPR can certainly be disputed.

The DPA’s other measures (register of processing activities, appointment of a data protection officer and implementation of a DPIA) exclusively concern IAB Europe as a controller and can be disregarded when assessing the practical impact of the decision.

What should you do now?

In a strict reading of the Belgian supervisory authority’s decision, the current processing of user data under the TCF 2.0 violates the GDPR, in particular because no effective consent is obtained. Since IAB Europe itself has no control over the TC strings, it would therefore in principle be the publishers’ responsibility to ensure that personal data that has been collected unlawfully is not processed further and deleted accordingly.

However, this is not the end of the story. As mentioned above, IAB Europe now has two months to submit an action plan to remedy the identified deficiencies, which must then be implemented within a period of six months (“TCF 3.0”). In addition, IAB Europe can take legal action against the decision of the Belgian supervisory authority – which it will most likely do. Only after a final court decision confirming the APD’s legal opinion would the decision become effective.

For the time being, our conclusion is that, according to APD (and other European data protection authorities), the current design of tracking consent prompts based on the TCF 2.0 is not GDPR-compliant and thus illegal. However, it remains to be seen whether this view will ultimately be confirmed by the courts, in particular the European Court of Justice. The only current alternative to the TCF 2.0 as an established industry standard, which is “hand-made” consent solutions, is not very practicable and may suffer from the same problems.

Until then, publishers should revisit their CMPs to make them as compliant as possible, e.g. following the guidance issued by the German data protection authorities in December 2021 (see our last client update). Online marketing service providers should consider switching to an entirely consent-based business model.

As always, we remain at your disposal to answer any questions you may have in this matter.

Dr. Frank Eickmeier                           Dr. Lukas Mezger
Rechtsanwalt                                     Rechtsanwalt