IAB Europe refutes criticisms of Transparency and Consent Framework
Townsend Feehan, CEO of IAB Europe, addresses recent media reports relating to the Transparency & Consent Framework and Belgian Data Protection Authority
Some recent media reports suggested that the system used by hundreds of thousands of website and app publishers to ensure transparency and consent around online advertising was found in breach of GDPR by the Belgian Data Protection Authority. As IAB Europe states, there are inaccuracies in many of the early reports and IAB Europe refutes these as well as many of the preliminary findings of the Inspection Service of the Belgian DPA.
Commenting on recent media coverage of the Belgian Data Protection Authority’s report into IAB Europe’s Transparency and Consent Framework, Townsend Feehan, CEO of IAB Europe, said:
“It is surprising and disappointing to see the degree to which the initial media coverage of this got the contents of the report completely wrong. The report does not constitute an indictment of the Transparency & Consent Framework (TCF). Its findings in relation to the Transparency and Consent Framework reflect a basic misunderstanding of how it works, and as a consequence are either not relevant or highly subjective.
“For example, the finding that the Transparency & Consent Framework needs rules on the processing of special category data is incompatible with the fact that you cannot use the Framework to process such data. Similarly, IAB Europe is not indifferent to non-compliant behaviour. TCF Policies contain explicit requirements for participants to notify IAB Europe where they identify a breach and to cease working with non-compliant parties.
“Generally, IAB Europe strives to ensure full compliance with TCF Policies and the best practices set out therein, but in no way purports to take on the responsibility of enforcing the GDPR, a responsibility which falls on those authorities specifically designated for that purpose by the regulation.”
Commenting on the characterisation of IAB Europe as a ‘data controller’ under the terms of the GDPR, Feehan said:
“The real story in the report is the novel and unsubstantiated finding that an industry association that operates a standard intended to help its members comply with the law can be considered to be a data controller, thereby sharing legal liability with every company that implements the standard. This interpretation, if upheld, would eliminate at a stroke the possibility for any industry to develop a GDPR Code of Conduct, since such codes inevitably need a host organisation, and no non-profit organisation would ever contemplate taking on such risk.
“The report’s impact on the framework is negligible. Its impact on IAB Europe as an organisation, and on any other standards body operating in Belgium, is potentially detrimental, though it is unclear what consumer protection, if any, is advanced by this.”
In conclusion, Feehan stated:
“The Transparency & Consent Framework is the most sophisticated and scrutinised model of GDPR compliance for digital advertising in the world. This preliminary report is only the first stage of the Belgian Data Protection Agency’s review and it has no impact on the operation of the Framework.
“We pride ourselves on collaboration with all stakeholders and look forward to engaging with the Belgian authority on this matter, just as we have already engaged with several Data Protection Authorities in the development of the latest version of the Framework.
We take issue with many of the claims in the report but it is worth emphasising that we are only at an early stage. We will be making a robust defence of the framework and the hundreds of thousands of website and app publishers and advertisers who rely on it every day to guide their operations.”