GDPR GAZET

01     The IAB Consent Framework violates the GDPR

​

​

At the beginning of February, theGBAdropping a bombshell on the European online advertising landscape by ruling that IAB Europe's Transparency and Consent Framework (TCF) violates the GDPR. 

 

Goal TCF: facilitating GDPR compliance with online behavioral advertising via OpenRTB

 

The TCF plays a key role in the so-called “real-time bidding” whereadvertisersbe able to bid on available advertising space on websites and applications based on user profiles. This automated auction ensures that when people visit a website or use an application, they see personalized advertisements placed by the highest bidders on their profile in a fraction of a second.

 

IAB Europe has developed a standard with the TCF consisting of policies, technical specifications and conditions and agreements that participating companies must comply with with the aim of real-time bidding via the OpenRTB protocol in accordance with the GDPR. For example, participating companies must use a recognized Consent Management Platform (CMP) so that users of their websites and/or applications see a pop-up requesting them to make their advertising preferences known, if they are not yet known. or expired. In this way, the user can consent or not to have his personal data processed for marketing purposes and shared with other actors in the advertising ecosystem, and object to various processing operations subject to an opt-out arrangement.

 

Do advertisement preferences via TC String keep track of personal data?

 

A central role is reserved for the 'Transparency and Consent String' or 'TC String' for short, which consists of a character string. The user's advertising preferences (particularly grantedpermissionsand opt-outs) are linked to this along with limited metadata. In addition to a possible copy on the server of the provider of the CMP, the TC String is maintained on each user's device using the cookie “euconsent-v2” placed by the CMP. The participating companies can consult and update users' advertising preferences when relevant.  

 

With regard to its responsibility regarding the TCF, IAB Europe believes that it only provides a framework and does not itself act as a controller in processing user preferences. It would always be the CMPs themselves that generate and store the TC String, and read it out via their own servers. However, the DPA notes that IAB Europe accurately defines the purposes (enable publishers and adtech companies to display digital advertising in a transparent manner and under valid legal bases) and means (content TC String and determine retention periods, determine manner) in its policies and technical specifications. of access by adtech vendors, storage locations, recipients, …) of the processing. TheGBAtherefore considers IAB Europe in this context as joint controller together with the participating companies.

 

IAB Europe raises the second important argument that the TC String in itself does not constitute personal data, so that no legal basis is required for its processing. The GBA judges that it is indeed not irrefutable that the TC String in itself is personal data because of the limited metadata and values contained in it. However, the process of the user passing on his preferences inevitably involves processing of the IP address, so that the preferences are associated with an identifiable user. In addition, the TC String specifically aims to capture the preferences of a particular user, which confirms to the GBA that it ispersonal datashould go.

 

No legal basis for capturing user preferences and further processing within OpenRTB

 

No legal basis has been established for the above-mentioned processing via the TC String, nor does IAB Europe provide information about this to the data subjects. In addition, there is also a lack of a valid legal basis for the further processing initiated through the user interface of the CMPs. The legitimate interest is invoked in an invalid manner and where permission is requested, it does not meet the requirements of the GDPR. Data subjects would not be able to give informed consent due to the insufficiently detailed information in the user interface of the CMPs and the large number of actors involved.

 

TCF violates the GDPR and IAB Europe is (jointly) responsible as Managing Organization

 

The GBA judgeson the basis of the above that IAB Europe acts as (joint) controller for the conscious processing in the management of the TCF and hereby commits various violations of the GDPR, including:

 

1. the failure to establish a legal basis for the processing of the TC String, and the inadequacy of the legal grounds provided for further processing by adtech companies

2. a lack of transparency and information towards users, providing them with information that is too general and too vague to understand the nature and scope of the processing, in particular through real-time bidding

3. accountability and security violations, and failure to adhere to the principles of "privacy by design" and "privacy by default", including failure to verify the validity and integrity of users' choices and an insufficiently deterrent apply a sanctioning mechanism in the event of infringements by participating companies (e.g. falsification or amendment of the TC String)

4. failure to keep a processing register, failure toto appoint a DPOand not performing oneData Protection Impact Assessment (DPIA).

 

Sanction

 

The GBA imposes heavy sanctionsfor the breaches because the TCF can lead to a large group of citizens losing control over their personal data. In particular, it imposes a fine of 250,000 euros, along with a series of corrective measures and an order to bring the current version of the TCF into line with the GDPR. For example, IAB Europe will, among other things, have to establish valid legal grounds for the processing operations and will from now on have to thoroughly screen participating organizations to ensure that they comply with the GDPR. IAB Europe must submit a concrete action plan for this purpose by the end of March, after which it will have 6 months to implement it concretely.

 

Conclusion

 

The above decision confirms that even organizations that provide an overarching framework and concrete guidelines for data processing that is mainly carried out by other organizations cannot escape their obligations under theGDPR. This includes vetting organizations that wish to adhere to such a standard. An important question now arises for companies that subscribe to the TCF, be it as a publisher, advertiser, vendor, or in another role. We think it is going too far to conclude from the decision that appeals to the TCF should be discontinued immediately, which will also be difficult for existing collaborations where this is a contractual requirement. After all, IAB Europe has 2 months to propose concrete adjustments and then 6 months to implement them. The GBA therefore keeps the door open for preserving the method of capturing user preferences through the TC String, providing more extensive information and, among other things, additional guarantees. For further processing, the consent process will need to be reviewed and made more transparent. All this can result in a stronger, GDPR-compliant standard. In the meantime, however, as an organization that subscribes to the TCF, it may be advisable to get started with the recommendations of the GBA and, among other things, to adjust its own processing policy and its own information banners and privacy statement accordingly. The decision is still subject to appeal.

​

​

​

02     Recommendations, advice and guidelines

 

​

EDPB: New guidelines on right of access 

 

The European Data Protection Board (EDPB) has now issued its new guidelines published concerning the right of data subjects to inspect their personal data. Currently, a public consultation on the guidelines is ongoing until March 11, so that comments can be submitted until that date, after which the EDPB will come up with a final version.

 

The guidelines support organizations and theirDPOsand/or data protection officers by answering questions that may arise when a request for access to personal data comes in from, for example, an employee, customer or business partner. These include:

 

• which personal data are involved and how they should be provided (from what time, with regard to which processing activities, in what form, …)

• security measures to be taken when providing access

• the verification of the identity of the person requesting access

• the refusal of requests for manifest unfoundedness or excessiveness

• rights, freedoms and legal provisions that may lead to the restriction or refusal of a request for access.

The guidelines contain several practical examples on the concrete application of the right of access in various sectors and circumstances. In addition, they contain flowcharts on the line of thinking that organizations should follow when responding to such requests. It is therefore advisable to save the guidelines, to adjust the internal procedures that your organization already has, and to consult them if you have any doubts about the handling of a request for access. 

​

​

​

VTC: new guidelines on the use of office applications in the cloud by local authorities

​

The Flemish Supervisory Commission (VTC), which monitors the application of the GDPR by the Flemish administrative authorities, has new guidelines published on the use of office applications in the cloud by local authorities.

 

In this, the VTC takes the position that the use of general office applications in the public cloud is not acceptable for structural file management, nor for the exchange of sensitive personal data such as vaccination statuses or as a platform for citizen participation. In that sense, she also points out that cloud use should not be the standard and should always be the subject of a concrete consideration with an eye for alternative solutions.

 

The VTC also points out measures to be takenby Flemish administrative authorities when they wish to use public cloud applications, including:

 

• always concluding a processing agreement and not simply registering for a service based on standard terms and conditions, which may result in non-compliance under the GDPR, and with an eye for the various licensing options and their level of security

• exclusive use of data centers/servers in Europe

• 2 or multi-factor authentication to access accounts

• proper role management

• using a recognized encryption algorithm

• the privacy-friendly setting of the applications used.

​

​

​

03     Privacy Newsflash

​

French regulator CNIL also considers the use of Google Analytics to be contrary to GDPR

​

Following the Austrian privacy regulator, the French CNIL also formally takes the position that the use ofGoogle Analyticsin its current design is contrary to the GDPR. In particular, the transfers of personal data that take place to the US in this context are unlawful due to the lack of appropriate safeguards. 

 

The CNIL expressly confirms that the additional measures taken to date by Google are not sufficient to neutralize the risk of government access in the US to personal data of European data subjects. It therefore requests website visitors to bring the use of Google Analytics into line with the GDPR or to discontinue it if necessary, or to use a tool that does not process personal data outside the EEA. 

 

The CNIL indicates that this reasoning also applies to other tools where personal data of website visitors are exported to the US and warns of possible corrective measures in the near future.

 

 

Federal government launches information website on the processing of personal data by the government

 

The federal government has set up the website MyData.Belgium.be as the first step in a transparency project aimed at the Belgian citizen. The approach is to provide citizens with clear information in an accessible manner about the use of their personal data by the federal government. The aim is to strengthen trust between government and citizens and to offer citizens more control over their personal data. The website provides a global overview of the personal data of citizens held by each federal government agency, its source, the purposes for which it is processed, and who can receive this data. In that sense, it can be regarded as a kind of public processing register issued by the federal government. You can search on the basis of federal government agency, and on the basis of the processed category of personal data. It is therefore not possible via the website to inspect the concrete personal data that the federal government has of the user.

 

​

EDPB starts coordinated European action towards cloud use by governments

​

The EDPB has launched a coordinated enforcement action on the use of the cloud by the governments of the EU Member States (and by the EU institutions). Partly due to the COVID pandemic, government organizations are increasingly turning to cloud technology. However, they may experience difficulties in obtaining thisGDPR-compliant ICT products(guarantees provided, obligations between controller and processor, international transfers, …).  

 

The EDPB seeks to identify these challenges in order to promote best practices and ensure the adequate protection of personal data. A result of the analysis at EU level is expected before the end of this year. 

 

At the national level, the DPA is participating in the action by initially conducting a fact-finding investigation of 2 major ICT service providers for government agencies, and of 5 government agencies that process large amounts of health data and that have played a crucial role in the context of theCOVID pandemic. 

 

 

European Commission waives infringement proceedings against Belgium due to possible lack of independence of the GBA

​

For the time being, the European Commission will not take Belgium to the Court of Justice of the European Union due to an alleged lack of independence of the GBA. This has been confirmed by a spokesman for the European Commission after the resignation of Frank Robben as a member of the GBA. Frank Robben was an external member of the Knowledge Center of the GBA, but at the same time he was the driving force behind various government projects that the GBA has to check for compliance with data protection rules, which raised questions about the independence of the Belgian privacy regulator. Although this potential conflict of interest is no longer an issue, the European Commission has not yet fully closed its file. It continues to monitor the situation and maintains contact with the Belgian authorities, in particular with regard to the preliminary draft law that, among other things, should provide additional guarantees against incompatibilities and conflicts of interest at the DPA in the future. The preliminary draft has already been approved by the Council of Ministers and will also be submitted to the GBA itself, the Court of Audit and the Council of State.

 

​

EDPB issues first opinion on national certification mechanism

​

The EDPB has issued its first opinion on a general national certification mechanism under the GDPR to the Luxembourg privacy regulator CNPD. This concerns the GDPR-CARPA certification, with which Luxembourg organizations may be able to demonstrate in the future that they process personal data in accordance with the GDPR. It is a generally applicable mechanism that is not tied to a specific sector or processing activity. In its opinion, the EDPB points out that the certification criteria in their current draft may lead to an inconsistent application of the GDPR and calls for several changes regarding, among others, the scope of the certification mechanism, the certification criteria and the basic principles of the processing.  

​