For those watching the slow motion unpicking of surveillance advertising in the European Union here’s a fresh development on the long and winding road to a long-overdue legal reckoning: Multiple grounds for appeal lodged by industry body, the IAB Europe, against a breach finding earlier this year against its self-proclaimed “best practice” framework for obtaining consents from web users for their data to be processed for behavioral advertising, have been dismissed by the Brussels Market Court of Appeal.
At the same time, legal questions have been referred to Europe’s top court related to a number of other appeals grounds — which means a hard ruling will be coming down the pipe for a flagship component of surveillance adtech’s elaborate machinery in the coming years.
At specific issue here is a “cross industry” framework specced out and promoted by the IAB Europe, and taken up by scores of publishers and advertisers to claim they’re obtaining web users ‘consent’ to ad tracking but which critics argue boils down to elaborate ‘compliance theatre’ — enacting a pantomime of consent to workaround the EU’s privacy laws.
This consent tool, aka the Transparency and Consent Framework (TCF), underlies the majority of irritating ad consent pop-ups that plague web users in the region — yet it was found in breach of the bloc’s General Data Protection Regulation (GDPR) earlier this year, after a lengthy investigation by Belgium’s data protection authority, confirming what privacy and legal experts had been warning for years: That majority consent to tracking ads is a big fat lie.
News: the Brussels Court of Appeal dismisses various IAB Europe procedural grounds of appeal and agrees to refer our preliminary questions to the European Court of Justice. https://t.co/EIs1iCuSit
— Johnny Ryan (@johnnyryan) September 7, 2022
GDPR violations confirmed in the Belgian authority’s decision on the TCF, back in February, cover major principles like the lawfulness of processing; fairness and transparency; security of processing; integrity of personal data; and data protection by design and default, among others.
The IAB Europe itself was also found to have breached the GDPR. And the online ad industry body was given a hard deadline of six months to fix a laundry list of violations — although the TCF has been allowed to persist in the meanwhile (so the annoying pop-ups haven’t yet gone away).
The IAB Europe responded to the regulatory slap-down by firing up its lawyers and lodging an appeal — seeking to undo the Belgian DPA’s decision by arguing against it from multiple angles, from claims of procedural unfairness to flat denials that its role or the technologies it steers breach any EU laws.
Simultaneously, in a further denial of an existential privacy problem with tracking ads, the body said it planned to press on and submit the TCF as a “transnational Code of Conduct,” apparently eyeing grafting on ‘compliance’ with U.S. regulatory requirements (like California’s CCPA). (An associated, U.S.-based adtech body, the IAB Tech Lab, published a draft replacement “global” framework this summer, called the “Global Privacy Platform,” which it claims “streamlin[es] technical privacy and data protection signaling standards into a singular schema and set of tools which can adapt to regulatory and commercial market demands across channels” — but which critics warn merely repeats many of the same glaring flaws that have landed the TCF in legal hot water in Europe, so the lack of reforming zeal is palpable.)
But how much mileage the IAB can get out of denying legal reality in the EU — where data protection is (at least on paper) comprehensive and privacy is a fundamental right — is the big question.
In a first blow to its appeal against the TCF’s GDPR strike down, a bunch of its procedural gripes have now been tossed.
Grounds for appeal?
Of eight grounds decided on by the Brussels court at this point in the appeal, five were found to be entirely unfounded — with only two of the final grounds considered “well-founded in part,” as the Court’s ruling puts it. (Those related to a finding that additional allegations and complaints — centered on whether a mechanism in the IAB’s framework constitutes personal data — were incorporated into the decision after the hearing without “sufficient diligence.” Although the court stresses that the authority would not have had to open a whole new investigation, as the IAB had argued, so this looks like a fairly minor procedural win.)
The other five grounds that the court has decided on at this stage — such as the IAB’s assertion that the complaints were inadmissible or the authority’s Inspection Report was “incomplete and biased” — were all dismissed.
However there are yet more grounds lodged by the IAB (the ruling lists 19 in all). And the appeal is now suspended pending the Court of Justice (CJEU)’s response to legal questions related to these grounds.
The referred questions center on whether a per-user consent string passed via the TCF constitutes personal data (the IAB argues not but the Belgian DPA decided it did, as the complainants also argue); and whether the IAB, which couches itself as a humble industry standards body, is a joint data controller for the purposes of the TCF and the so-called “TC string” (again, it argues not but it was found by the authority to be a joint controller).
“That the Brussels Court of Appeal has referred our questions to the European Court of Justice shows the importance of this case,” said one of the original complainants, Dr. Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, in a statement. “Today’s judgement is the next step in our effort to put an end to the consent pop-ups that have harassed Internet users in Europe for years. We now look forward to the answers from the European Court of Justice and subsequently a judgement on the merits of the Brussels Court of Appeal.”
The CJEU could take a few years to produce a ruling on these questions but there’s no route of appeal on what it decides. So the train has now left the station.
There will — in fairly short order — be a hardened verdict from the court on crux points like whether an entity that devises and promotes mass surveillance adtech infrastructure, and whose rules dictate core procedures of this tracking machinery, is able to evade the full force of EU privacy law by claiming it’s just a standards body guv! And on the IAB’s flagship sleight-of-hand — when it claims TC strings aren’t personal data and don’t link to individuals ergo there’s no need for a legal basis for processing them anyway — which would be quite the get-out-clause for behavioral ads from EU data protection law if allowed to stand by the court.
(The Belgian DPA’s response to that argument was to point out that the TCF links the consent string to the user’s IP address, which is absolutely considered personal data under GDPR; and that users of the tool are also able to identify users via other data; and that, indeed, the whole point of the TC string is to identify the user.)
At this point it pays to refresh the memory on how the GDPR defines personal data [with added emphasis ours]:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
So now EU citizens annoyed by countless illegal pop-ups must hold their breath for a CJEU ruling. (But the finest legal minds in Europe surely won’t need to cogitate for too long to call out this mulligan.)
Next stop, enforcement?
In the meanwhile, the Belgian DPA could — and really should — restart enforcement of the original order, given the vast scale of the violations and risks to Europeans’ fundamental rights of allowing unlawful mass surveillance by out-of-control adtech to continue unchecked.
Asked about his expectations for enforcement, Ryan told TechCrunch he’s looking into whether the authority’s decision can now finally be applied (a preliminary Belgian ruling on the TCF, also finding it in breach of the GDPR, dates back almost two full years at this point).
“The extension was until the Markets Court decision. So it should be able to apply it now,” he suggested, adding: “The tracking-based online ad industry must reconcile itself to the likelihood that EU data protection law will actually be enforced.”
We also reached out to the Belgian authority and to the IAB Europe with questions — but neither had responded at press time.
Update: A spokesperson for the Belgian DPA confirmed that the ad industry body submitted an action plan to it in April — “as required in our February decision”. “The BE DPA does intend to pursue its assessment of the measures proposed in the Action Plan sent in April by IAB Europe. However, the BE DPA will not comment further on the content of the action plan at this moment,” they added.
The spokesperson further specified that the action plan the IAB submitted to it “was not presented as the so-called Global Privacy Platform, which has, it seems, been entirely developed by IAB Tech Lab“.
Following the Brussels court referral, the IAB Europe posted a statement on its website about the developments — acknowledging what it refers to as an “interim ruling”, as well as the referral of questions to the CJEU which it said it “welcomes.”
“The interpretation of the notions of personal data and controllership embraced by the APD [Belgian DPA] is unnecessarily broad from a consumer protection point of view and has significant negative implications for the development of open standards and the Codes of Conduct foreseen in the GDPR,” added Townsend Feehan, IAB Europe’s CEO, in a canned comment. “It would place an unacceptable financial burden on host organisations, discouraging the development of these important compliance tools.”
I go deep into some of the technical issues in the post. All the problems of TCF are here, as are even more problems. Notably, their backwards compatibility process seems to mean layering over past APIs in unclear ways. https://t.co/1XrT89KWZa
— Aram Zucker-Scharff | @Chronotope@indieweb.social (@Chronotope) September 6, 2022
In a statement posted on its website after the court referral, the Belgian authority said that it will “now have to further analyse the ruling before being able to express itself in more detail on its content” but it professes itself “already pleased with this decision, which will further clarify key concepts of the GDPR such as the definition of the concept of data controller, and its applicability to framework designers.”
Hielke Hijmans, chairman of the DPA’s Litigation Chamber, added in a statement: “The IAB Europe case, in which we ruled in February, has an impact that goes far beyond Belgium. That’s why we think it is a good thing that it is being discussed at the European level, at the Court of Justice of the EU.”
The authority also wrote that its decision has “made an important contribution to the protection of Internet users’ privacy in Europe, through its analysis of the mechanism for recording users’ preferences for targeted online advertising,” further arguing: “It will raise awareness about online advertising, and especially about the mechanism behind the consent to receive targeted advertising.”
The DPA’s statement went on to say that Belgium will “discuss possible next steps with its EU counterparts.”
Which, well, sounds a little bit like ‘watch this space’…
Behavioral ad industry gets hard reform deadline after IAB’s TCF found to breach Europe’s GDPR
Comment