Belgian TCF Ruling: Is it game over for the TCF?

“My best was never good enough”, goes the Bruce Springsteen song. The adtech industry may be feeling that sentiment following the Belgian Data Protection Authority’s ruling that IAB Europe’s Transparency and Consent Framework (TCF) does not fully satisfy ePrivacy and GDPR requirements in its current form.

What was the decision and what were the key aspects?

The Belgian DPA (the Autorité de protection des données) issued an administrative ruling against IAB Europe on 2 February 2022 regarding IAB Europe's status as a "controller" of personal data processed by participants in the TCF and, critically, whether compliance with the TCF is sufficient for website publishers, consent management providers (CMPs) and adtech vendors to provide transparency and demonstrate a lawful basis (whether consent or legitimate interests) for their processing.

Whilst the Belgian DPA did not prohibit the TCF as a concept, it did make several important rulings impacting the current form of the TCF.  Specifically, these were:

1. The current form of the TCF is insufficient for the purposes of providing transparency to data subjects.
2. The current form of the TCF is insufficient for the purposes of obtaining consent from data subjects to adtech processing.
3. The current form of the TCF is insufficient to establish legitimate interests as a lawful basis for processing data subjects' personal data for profiling (and possibly for other TCF purposes).

With respect to IAB Europe's role as a controller, the Belgian DPA ruled that:

4. The "TC string" (the binary string generated by cookie consent management platforms which contains user preferences with respect to processing of their data for adtech purposes in reliance on consent or legitimate interests) is personal data;
5. IAB Europe is a joint controller with publishers, CMPs and AdTech vendors for the collection and sharing of the TC string and for subsequent processing of personal data as part of OpenRTB.  This finding is somewhat surprising in light of the fact that, while IAB Europe sets the TCF standards, it does not process any personal data itself for adtech purposes; and
6. IAB Europe was found not to be compliant with certain controller obligations under the GDPR such as designating a data protection officer.  On this last point, IAB Europe had not previously considered itself a controller of data processed by TCF participants (because it was not processing any data itself), and so it is unsurprising that IAB Europe would have been found non-compliant with obligations to which it did not consider itself subject.

What has IAB Europe been ordered to do?

IAB Europe has been ordered to produce an action plan by 2 April 2022, setting out how it proposes to remedy the issues with which it has been found non-compliant in the decision. If and when the action plan is agreed with the Belgian DPA, which could take some time, IAB Europe must implement those actions within a further six-month period.  If IAB Europe can reach agreement with the Belgian DPA, this may result in a new version of the TCF being launched.

Does this reflect the wider view of Data Protection Authorities (DPAs)?

It effectively represents the majority view of the DPAs in the European Economic Area (EEA).

The Belgian DPA's decision followed consultation with other DPAs in the European Economic Area via the GDPR's one-stop-shop “cooperation procedure", where the lead authority for the entity under investigation consults other data protection authorities for their views before reaching a final decision. The Belgian DPA's press release stated that there were two objections by other EEA DPAs to an earlier draft decision but that the current decision has been "approved by all concerned authorities representing most of the thirty countries in the European Economic Area".

Is IAB Europe appealing?

Yes.

On 4 March 2022, IAB Europe announced that it had filed an appeal to the Belgian Market Court against the Belgian DPA's decision.

IAB Europe says in its FAQs document that it disputes and has appealed these aspects of the Belgian DPA's decision:

• that it acts as a controller "for the recording of TC strings";
• that it acts as a joint controller for the "dissemination of TC Strings and other data processing done by TCF participants under the OpenRTB protocol" (the protocol by which participants in the adtech chain exchange data for real-time bidding purposes); and
• that the current form of the TCF cannot be used to establish a lawful basis for processing. IAB Europe says that the Belgian DPA's consideration of the legal bases aspect was carried out "in the abstract, without reference to the particular circumstances surrounding any discrete act of data processing".

As a separate matter, they have also asked for enforcement of the decision (i.e. including the requirement for IAB Europe to produce the remediation action plan) to be suspended until the appeal is complete.

How long will the appeal process take?

IAB Europe have said that they expect a decision on the suspension of enforcement within the next few weeks. Given this expected timing, and the deadline by which it must submit its remediation action plan, if a suspension of enforcement is granted, it might not be much before the remediation action plan submission deadline – or, possibly, could even come after such a deadline.

It is unclear how long the appeal on the substantive issues would take. Turnaround times of six months are not unusual for appeals in the Market Court on the merits of a case but, given the complexity of the issues at stake here, there are good reasons to think an appeal may take longer in this instance.

Will the Market Court overturn the Belgian DPAs findings?

This is difficult to predict.  The Belgian DPA's decision was taken following comments from several other supervisory authorities under the one stop shop process and, in light of that, the Market Court may be unlikely to accept the appeal in full. Perhaps the aspect of the appeal most likely to succeed is the challenge to the Belgian DPA's finding that IAB Europe is a joint controller of personal data processed by TCF participants.

For now, IAB Europe appear optimistic. They have indicated in their FAQs document that they have serious reservations about the substance of the Belgian DPA decision. They have also indicated that the ruling makes clear that the Belgian DPA is not prohibiting the TCF entirely, but wants IAB Europe to remediate the TCF to provide greater controls and transparency to data subjects.

Will EEA DPAs start immediately taking enforcement action in the wake of this decision?

The hope of many adtech players is that EEA DPAs will hold off further enforcement action during the appeal process and/or until IAB Europe has finished implementing an action plan. It is unclear yet whether this will be the case. The Dutch DPA was reported in a Dutch newspaper to have refused to exclude the possibility that it will initiate enforcement actions against websites that use the TCF. Nevertheless, it would seem strange for DPAs to initiate enforcement on the basis of findings made in a decision that is currently under appeal.

Does this decision spell the end of the TCF?

This is the question to which everyone wants an answer.

Ultimately, the answer will depend firstly on the outcome of the appeal and whether this results in any of the findings regarding the TCF being overturned.

If IAB Europe submit a remediation action plan (either in parallel with the appeal, or if the appeal is unsuccessful), then the fate of the TCF will depend upon whether IAB Europe can propose changes to the framework that satisfy the Belgian DPA. In particular, a lot will depend on whether IAB Europe can find other ways to improve data subject transparency and consent through the TCF.

The challenge is the inevitable tug of war between providing sufficient detailed and granular information to data subjects, and making that information concise enough so that it actually gets read and understood by data subjects.  This is likely to prove very challenging given the number of participants that can be involved in an adtech processing chain (website publishers, SSPs, exchanges, DSPs, measurement partners, and so on).

What impacts might this decision have?

Again, we can only speculate.  However, it seems likely that this decision will have short, medium and long term ramifications.

In the short term:

Many vendors and publishers are likely to feel there is not enough legal certainty to make any changes and so will follow a "wait and see" approach for now until the result of the appeal is announced. Many of these publishers will consider that they are dependent on adtech to monetise the content they make available to their visitors, and so cannot remove targeted advertising from their sites overnight without other monetisation streams in place.  They are also likely to be reluctant to move away from the TCF in the short term, notwithstanding the Belgian DPA's decision.  The primary concern is that, despite the Belgian DPA making adverse findings against the TCF, there are no other industry-standard solutions that provide a consistent transparency and consent experience in the way that the TCF does, and that ad hoc solutions provide an even more confusing experience for data subjects (and therefore are even less likely to provide valid transparency and obtain valid consent). In that sense, switching from the TCF to an ad hoc consent experience is likely to be perceived by many as jumping out of the frying pan and into the fire.

For now, many are likely to therefore continue their reliance on the TCF, but some publishers and CMPs are exploring how they might provide additional information disclosures within their cookie banners in light of that aspect of the Belgian DPA's ruling. Some adtech vendors are also likely to revisit their reliance on legitimate interests as a legal ground to process data for adtech purposes, and consider switching over to consent-based processing only.

In the medium term:

If the appeal is unsuccessful, IAB Europe will aim to agree a remediation plan with the Belgian DPA that will likely result in a new version of the TCF (i.e. TCF v3 – the current version is v2).  IAB Europe appears optimistic in this respect, stating in its FAQs document that "TCF can and will continue to improve in ways that better align with the [Belgian DPA]’s vision and other DPA guidance". Vendors and publishers will need to see how this plan develops and whether a TCF v3 is a practical solution that they can implement.  If not (or if IAB Europe is unable to agree amends to the TCF that satisfied the Belgian DPA), the industry will need to consider other ways either: (a) to provide transparency and get consent (which would likely lead to a rise in the use of ad hoc transparency and consent mechanisms), or (b) to avoid user profiling (e.g. by pivoting to contextual ads).

In the long term:

Regulatory and civil society concerns about personalised advertising are unlikely to go away and, as a result, pressure on personalised advertising is likely to continue increasing with time – regardless of the outcome of IAB Europe's appeal. In light of this, it seems likely that demand will grow for "less risky" solutions – in particular, contextual advertising solutions, or perhaps so-called "private marketplace" advertising models that involve far fewer participants (and so where the likelihood of being able to provide valid transparency and obtain valid consent is greater).

Only one thing is for sure - don't expect this issue to go away any time soon.