A regulatory decision on a GDPR compliance framework widely used by the digital advertising and marketing industry in Europe could impact New Zealand businesses using the framework to ensure compliance with strict EU privacy laws.
The Belgian Data Protection Authority (DPA) has fined the Interactive Advertising Bureau Europe (IAB Europe) €250,000 for failing to comply with several provisions of the European Union’s General Data Protection Regulation (GDPR). IAB Europe is a federation representing the digital advertisement and marketing industry in Europe.
The decision comes after a series of complaints were filed against IAB Europe in 2019 for allegedly breaching the GDPR in relation to the large-scale processing of personal data.
The complaints related to IAB Europe’s transparency and consent framework (TCF) in the context of real-time bidding (RTB), the automated practice of buying and selling advertising space on websites through real-time auctions.
This decision will be of particular interest to New Zealand businesses that handle the personal information of anyone living in the EU, or target their goods and services at individuals in the EU.
It also offers a timely reminder on compliance with New Zealand’s own privacy rules for those dealing with the collection of personal information in the local advertising technology sector.
How it works
RTB auctions occur as quickly as it takes a webpage to load and result in targeted advertising being displayed to website users. To display advertising specifically tailored to the website user, the user’s personal data (for instance, year of birth, gender, interests or location) is communicated to advertisers during the bidding process.
First, the DPA had to consider whether IAB Europe was a data controller, as defined in the GDPR. A ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data.
It was held that in this context, personal data included a TC String. IAB Europe asserted it wasn’t a data controller as the TCF does not require participating organisations to pursue certain objectives. Rather, it argued, the TCF aims to provide information which must be provided to data subjects in accordance with the GDPR.
The DPA considered IAB Europe was a data controller because it imposed binding rules on participating organisations for processing personal data. IAB Europe was also found to “determine the means of generating, storing and sharing the TC String by which the preferences, objections and consent of users are processed”.
As a data controller, IAB Europe is subject to several responsibilities under the GDPR – for example, ensuring the security of personal data, carrying out a data protection impact assessment and appointing a data protection officer.
The DPA further held that, as a data controller, IAB Europe had breached several articles in the GDPR including:
- Lawfulness: IAB Europe failed to establish a legal basis for the processing of the TC String.
- Transparency and information of the users: The information provided to website users was not offered in a ‘transparent, comprehensible and accessible manner’ as required. Users of webpages participating in the TCF were not given sufficient information about the categories of personal data collected about them. The information provided to website users was deemed too general, invalidating any consent received for processing.
- Accountability, security and data protection by design/by default: The integrity of the TC String was not sufficiently ensured. While IAB Europe used a consent management system, it had not taken the “necessary steps to ensure the validity, integrity and compliance of users’ preferences and consent”, meaning it was possible for consent to be falsified.
- Other obligations for controllers that process personal data on a large scale: IAB Europe failed to:
- maintain a record of processing activities;
- carry out a comprehensive data protection impact assessment; and
- appoint a data protection officer.
New Zealand businesses
As well as the €250,000 fine issued by the DPA, the DPA ordered IAB Europe to immediately delete all personal data collected through the TCF.
While the DPA’s ruling doesn’t prohibit the TCF (as requested by complainants), IAB Europe has been given two months to submit an action plan to make its activities compliant with the GDPR. This means that organisations which have implemented the TCF and rely on it to comply with the GDPR, should prepare for changes to the framework in the upcoming months.
New Zealand businesses handling the personal information of anyone living in the EU or targetting their goods and services at individuals in the EU and have implemented the TCF should take particular note of this ruling and prepare for upcoming changes.
While the DPA’s decision is unlikely to directly affect New Zealand businesses that operate solely in New Zealand, it serves as a timely reminder for New Zealand businesses dealing with the collection of personal information in the ‘adtech’ space. They should ensure they are doing so correctly under the Privacy Act 2020.
IAB Europe has confirmed it will appeal the DPA’s decision to the Belgian Market Court, asserting it is not a data controller in the context of the TCF.
IAB Europe has stated that the DPA’s ruling “will have the perverse effect of discouraging other standard-setting organisations from investing in instruments that aim to protect users and facilitate the exercise of their rights under the GDPR”.
Tania Goatley is a partner at Bell Gully. Olivia Zambuto is a lawyer at the same firm