Top EU court finds widely employed consent system violates EU privacy regulation

Content-Type:

News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources.

“IAB Europe has sought to evade its responsibility for this charade. But the European Court of Justice has set it straight," said Johnny Ryan from the Irish Council for Civil Liberties (ICCL). [PeopleImages.com - Yuri A/Shutterstock]

The European Court of Justice on Thursday (7 March) found the Belgian association IAB Europe’s consent system for auctioning personal data in breach of the EU’s General Data Protection Regulation.

Interactive Advertising Bureau Europe (IAB Europe), a trade association for digital advertising established in Belgium, has developed a solution that it claims can make the system of auctioning personal data for advertising purposes compliant with the EU’s General Data Protection Regulation (GDPR).

IAB Europe uses a consent system known as Transparency & Consent Framework (TCF), which advertisers use to gather user preferences. Google, Amazon, Microsoft, TikTok, and numerous other tracking-based online advertising companies depend on IAB Europe’s consent system, which other European data protection authorities have previously already determined breaches the GDPR.

On Thursday, the European Court of Justice – the highest court of the EU in matters of Union law – also found that IAB Europe is violating the GDPR.

“IAB Europe has sought to evade its responsibility for this charade. But the European Court of Justice has set it straight,” said Johnny Ryan from the Irish Council for Civil Liberties (ICCL).

TC string, GDPR, and data controllers

The Transparency and Consent String (TC string) contains data on what a user has agreed to or disagreed with regarding how their data is used. It includes details about the purposes, features, and companies the user has allowed or declined to use their data. The TC string is shared with personal data brokers and advertising platforms so they know about the user’s preferences.

Beforehand, through the framework, users are invited to express their preferences via a pop-up banner when visiting a website, however, according to critics, they are not always aware of what they consent to.

“People are invited to give consent, whereas most of them don’t know that their profiles are being sold a great number of times a day to expose them to personalised ads,” Hielke Hijmans, chairman of the Belgian Data Protection Authority’s litigation chamber told Euractiv in 2022.

“People across Europe have been plagued by fake ‘consent’ popups every day on almost every website and app since the GDPR was introduced almost six years ago,” Ryan said now.

Besides a TC string, user preferences are also stored on a cookie, and the two together can be linked to that user’s IP address, the Court points out.

In 2022, the Belgian Data Protection Authority already determined that the TC String qualifies as personal data under the GDPR and since IAB Europe uses this technology, it had been operating as a data controller without fully meeting GDPR requirements.

The Belgian watchdog imposed corrective actions and an administrative fine on the association, which IAB Europe is challenging, and has initiated legal proceedings before the Brussels Court of Appeal, which has sought clarification from the Court of Justice through preliminary questions.

Europe’s most used consent system deemed incompatible with EU privacy rules

Belgium’s data watchdog found that a popular mechanism for managing user preferences in Europe violates several General Data Protection Regulation (GDPR) provisions, and it requested advertisers to delete the collected data.

IAB Europe argued that it should not be considered a data controller because it only establishes the guidelines for how data should be used, rather than directly handling the data itself.

According to the European Court of Justice’s new decision, however, IAB Europe must be regarded as a ‘joint controller’ under the GDPR.

When two or more controllers jointly decide the reasons and methods for processing data, they become joint controllers and must transparently establish their responsibilities, including respecting the rights of data subjects and providing information.

Contrary to what IAB Europe says, Europe’s highest court believes that when user preferences are recorded in a TC String, IAB Europe, together with its members, plays a role in deciding how data is handled.

However, the EU Court agreed that IAB Europe is not considered a controller under the GDPR for data processing that happens after users’ consent preferences are recorded in a TC String, unless it’s proven that the association influenced how those operations are carried out, including their purposes and methods.

According to a statement by IAB Europe, the association “acknowledges the ruling handed down today” and “welcomes the CJEU ruling that provides well-needed clarity over the concepts of personal data and (joint) controllership, which will allow a serene completion of the remaining legal proceedings.”

Real-time bidding

TC strings are relevant for real-time bidding (RTB), the instantaneous selling and buying of data for advertising purposes.

This technology broadcasts sensitive information about people while they use the internet, for example, the device they are using or their location.

The bidding is an automatic process during which several advertisers bid on a piece of user information. This process usually takes fractions of a second.

The winning ad with the highest bid will be the one the user sees. However, before showing targeted advertisements, it is necessary to get the user’s permission to collect and use their data. Most applications and websites use this system; such data collection can happen even if users have a secure device.

Last November, a cross-party coalition of MEPs demanded the Commission to address real-time bidding practices, prompted by revelations that sensitive data including from European leaders was being auctioned to the highest bidder.

According to Ryan, the EU Court’s new decision “will not only end the biggest spam operation in history. It will deal a mortal wound to the online tracking-based advertising industry.”

MEPs ask Commission to act after revelations of sensitive EU data sell-off

A cross-party coalition of Members of the European Parliament demanded that the European Commission take action following the revelations that sensitive data from European leaders was being sold to the highest bidder.

[Edited by Nathalie Weatherald]

Read more with Euractiv

Subscribe to our newsletters

Subscribe