Belgian DPA fines IAB Europe €250,000

Belgium’s DPA (APD) announced on 2 February that the Transparency and Consent Framework (TCF), developed by IAB Europe, does not comply with several provisions of the GDPR. The TCF is a widely used mechanism that facilitates the management of users’ preferences for online personalised advertising, and plays a pivotal role in Real Time Bidding (RTB). The APD imposed a €250,000 fine on the company, and gives IAB Europe two months to present an action plan to bring its activities into compliance.

After discussion with the other European Economic Area DPAs in the One Stop Shop, the basis of the sanction was listed as including:

  • Lawfulness
  • Transparency on information to the users
  • Accountability, security and data protection by design/by default
  • Failure to keep a register of processing activities
  • Failure to appoint a Data Protection Officer
  • Failure to conduct a Data Protection Impact Assessment.

In addition to the fine, the Litigation Chamber of the DPA ordered the company to undertake corrective measures to bring the current version of the TCF into compliance with the GDPR.

IAB Europe responded to the APD by stating:

“We reject the finding that we are a data controller in the context of the TCF. We believe this finding is wrong in law and will have major unintended negative consequences going well beyond the digital advertising industry. We are considering all options with respect to a legal challenge.”