A double edged string: APD holds TCF violates GDPR and IAB is responsible

A double edged string: APD holds TCF violates GDPR and IAB is responsible

Belgian APD-GBA issues landmark decision holding that (1) the #TCF cookie consent string system violates GDPR (2) IAB Europe is a data controller and liable for violations stemming from the TCF system (3) all participating organizations are joint controllers with it.

Key Points:

(1) The preferences of users in a TC String in TCF constitute personal data

  • When the consent pop-up is accessed by script from a server managed by the CMP, it inevitably also processes the user's IP address, which is explicitly classified as personal data under the GDPR
  • Identification of the user is possible by linking to other data that can be used by participating organizations within TCF, but also in the context of OpenRTB

(2) TCF facilitates the processing of personal data

TCF inherently entails the collection, processing, storage and subsequent sharing of users' preferences with other parties, whether or not in combination with additional personal data in the context of the OpenRTB

(3) IAB Europe is responsible for the processing operations within TCF as a data controller

  • If it appears that an organization plays a decisive role in the dissemination of personal data (e.g. can't accomplish this without the entity's involvement) or that the processing operations carried out under the influence of the organization may substantially affect the fundamental rights to privacy and to the protection of personal data - that organization should be regarded as a data controller.
  • IAB establishes the purpose of the TC String and its processing because: (a) it lists the objectives of the TCF in the TCF policies and (b) the purpose of the TC string are described in the TCF documentation (Transparency and Consent String with Global Vendor & CMP List Formats v2.0)
  • IAB determines the means for processing personal data within TCF. This is because: (a) When proposing the Terms and Conditions for the TCF which individuals are required to access, IAB is also defining the rules applicable to the processing and imposing the rules on the participating organizations; (b)In proposing the TCF technical specifications, the TCF Implementation Guidelines and the TCF policies IAB is laying down and a fortiori imposing settings in relation to a data processing operation; (c) Storage location: IAB Europe determines the storage location and method for both service-specific and globally scoped consent cookies; (d) Categories of recipients of the TC String: IAB Europe determines with whom the users' preferences are to be shared, by, among other things, providing a list of TCF-registered adtech vendors, the so-called Global Vendors List (GVL), as well as a list of permitted CMPs (Global CMP List). IAB Europe's documentation shows that publishers who wish to use the TCF are obliged to work with a TCF-registered CMP and (e) Retention period for TC String: IAB Europe dictates and therefore bears the responsibility for defining the criteria by which the retention periods of the TC Strings can be determined.

(4) IAB and the participating organizations are all Joint controllers:

  • IAB Europe and the respective participating organizations should be considered as joint controllers for the collection and subsequent dissemination of users' consent, objections and preferences, as well as for the related processing of their personal data, without the responsibility of participating CMPs and adtech vendors detracting from IAB Europe's responsibility.
  • IAB Europe provides an ecosystem within which the consent, objections and preferences of users are collected and exchanged not for its own purposes or self-preservation, but to facilitate further processing by third parties (i.e. publishers and adtech vendors).
  • The decisions translated by IAB Europe into the provisions of the TCF policies and technical specifications, on the one hand, and the means and purposes determined by the participating organisations in relation to the processing - whether or not in the context of OpenRTB - of users' personal data, on the other hand, must be regarded as convergent decisions - and therefore this is a joint controllership.
  • CMPs: Not all CMPs must systematically be considered as joint-controllers together with IAB Europe and the website publishers, or that the scope of the joint-controllership is without boundaries. When the CMPs determine the list of recipients in accordance with the publishers' instructions, the Litigation Chamber finds that the publishers bear the main responsibility for the transfer of personal data to adtech vendors, without prejudice to IAB Europe’s responsibility.
  • Publishers: Publishers usually act as data controllers in the context of the TCF, as they are supposed to decide whether or not to cooperate with a registered CMP, and are also able to determine which adtech vendors are allowed to advertise on their website or in their application. In addition, publishers can exercise control over the legal ground for a specific processing purpose, and they can exclude certain processing purposes Publishers also act as data controllers for the processing of users' preferences in a TC String as well as their personal data processed in a bid request.
  • Adtech Vendors: The adtech vendors, together with IAB, are jointly responsible for the processing operations that take place within the context of the OpenRTB for the processing purposes foreseen under the TCF and in accordance with the preferences, objections and consents collected within the TCF.

(5) IAB has failed to provide a legal basis for processing users preferences in the TC string

  • Users are not informed anywhere of the lawful basis for the processing of their own, individual preferences in relation to purposes and permitted adtech vendors by CMP.
  • Article 6.1.b is prima facie not applicable to the processing of user preferences and the TC String. In the majority of the cases, even if there were a contractual relationship between the users and the publisher, the data processing involved under the TCF would still not meet the requirement of objective necessity for the provision of online services by the publishers to the users concerned
  • Legitimate interest as does not work as a legal basis for registration of the consent signal and user preference by means of the TC string: Even though the purpose is legitimate and the processing is necessary, the balance against the data subject rights fails because (a) no option is offered to users to completely oppose the processing of their preferences in the context of the TCF. Regardless of which choice they make, the CMP will generate a TC String before linking it (b) users are not informed of the installation of an euconsent-v2 cookie on their terminal device, whether or not they agree with the purposes and adtech vendors offered by the CMP, and moreover they are not informed of their right to object to such processing and (c) because of the potentially sensitive nature and the large number of people - the breach of rights and freedoms is severe.
  • Consent is not a valid basis for the processing operations in the OpenRTB facilitated by the TCF: (a) the proposed processing purposes are not sufficiently clearly described, and in some cases are even misleading; (b)t he user interface of the CMPs does not provide an overview of the categories of data collected, which makes it impossible for users to give their informed consent; (c) the information CMPs provide to users remains too general to reflect the specific processing operations of each vendor, thus preventing the necessary granularity of consent; (d) the recipients for whom consent is obtained are so numerous that users would need a disproportionate amount of time to read this information, which means that their consent can rarely be sufficiently informed; and (e) consent, once obtained by CMPs, cannot be withdrawn by users as easily as it was given because.
  • The legitimate interest of the participating organisations does not outweigh the protection of the fundamental rights and freedoms of the data subjects: Even though the purpose is legitimate, the processing is not necessary because the information shared is not limited. The balancing test fails because the large number of TCF partners that receive the data is not consistent with the data subject's reasonable expectation and anyway legitimate interest does not constitute a sufficient legal basis in the context of direct marketing involving behavioural advertising.

(6) Transparency: Information provided is not sufficient

  • People don't know that records of consent are being kept.
  • Some of the stated processing purposes are expressed in too generic a manner for data subjects to be adequately informed about the exact scope and nature of the processing of their personal data.
  • The interface offered to users does not allow, among other things, the processing purposes associated with the authorization of a particular vendor or which adtech vendors will process their data for a specific purpose to be identified in a simple and clear manner
  • The large number of third parties, i.e. the adtech vendors that will potentially receive and process the personal data of the users contained in the bid request, based on the preferences they have submitted, is not compatible with the transparency duty set out in the GDPR.

(7) Accountability

  • There is a lack of systematic monitoring of compliance with the TCF rules by the participating organizations, which could have significant impact ((e.g. falsification or modification of the TC String into a false consent) - the obligation under Art 24 and 32 for adequate security measures is not met.
  • IAB Europe’s accountability starts from the moment the organization designs and makes available a system for the management of consent or objections of users, but fails to take the necessary measures to ensure the conformity, integrity and validity of that consent or objection.
  • As part of its security and integrity obligations, IAB Europe must take not only organizational but also technically effective measures to ensure and demonstrate the integrity of the preferential signal transmitted by CMPs to adtech vendors

(8) Yes, there are SchremsII problems too

  • It is evident that personal data captured in the TC Strings will be transferred outside the EEA at some point by CMPs, and that the defendant is acting as data controller in this regard. Therefore, there is an infringement of the GDPR, but in view of the lacking evidence of a systematic international transfer, as well as the scope and nature thereof, APD finds it is not in a position to sanction the defendant for a violation of articles 44 to 49 GDPR
  • The publishers are responsible and accountable for taking the necessary measures to prevent personal data collected through their website and/or application from being transferred outside the EEA without adequate international transfer mechanisms
  • IAB should facilitate the due diligence incumbent on the publishers and CMPs, e.g. by requiring adtech vendors to indicate clearly whether they are located outside the EEA or whether they intend to transfer personal data outside the EEA through their data processors

(9) Integrity and Confidentiality 5.1.(f)

The current version of the TCF offers insufficient safeguards to prevent the values included in a TC String from being modified in an unauthorized manner, with the result that the personal data of a data subject bundled in a bid request may be processed for the wrong purposes, in breach of the integrity principle, and/or may end up with the wrong adtech vendors or the ones rejected by the user, in breach of the confidentiality principle.

(10) Art 30 ROPA need to include TCF

In view of the large number of participating organizations and IAB's intention to monitor the compliance of the various CMPs and other adtech vendors, more thoroughly in the future, IAB Europe should also include TCF processing in its records of processing activities.

(11) You need a DPIA for TCF

Considering the large number of data subjects who come into contact with websites and applications implementing the TCF, as well as the growing number of organizations participating in the TCF, on the one hand, and the impact of the TCF on the large-scale processing of personal data in the context of RTB - you need a DPIA

(12) IAB should have appointed a DPO

  • TCF involves the large-scale processing of personal data. This is because TCF is offered in various Member States; that the TCF intrinsically requires that the personal data of users be processed in the form of a TC String for as long as this is necessary to be able to demonstrate that consent was obtained in accordance with the TCF Policies
  • The processing is regular : the contractual obligation for Vendors and CMPs to submit records of consent to IAB, in its capacity as Managing Organization, upon simple request by IAB Europe occurs continuously or at specific times during a certain period of tme and is therefore regular
  • The processing is systematic: the processing of the TC Strings or records of consent by the defendant in the current version of the TCF (i) occurs according to a system; is (ii) prearranged organized or methodical and (iii) occurs in the context of a general data collection program


Georg Philip Krog

Pioneering AI-Driven Data Privacy, Security & Compliance | Creator of Data Privacy and Security Standard Vocabularies and Ontologies | Founder of Signatu | Transforming Legal Tech into Business Advantage

2 年

Great summary.

回复
MOYN U.

Global Head of Cybersecurity Operations - A Highly Experienced Cyber Security, Data Protection, (GDPR, UKDPA), and Privacy Professional Helping Organisations Become Resilient & Compliant

2 年

Yep, excellent article, well written. Just what I was looking for, for the last few days.

Kathleen Glass

Helping Launch Innovative Products and Services in AgTech, GovTech, IoT, AI, Privacy and CyberSecurity

2 年

Wow! ??

回复
Mark Little

Chief Operating Officer & Chief Data Strategist

2 年

Excellent summary and analysis Odia Kagan. Probably the best I have seen by far.

Kathleen Aguilar, FIP, CIPP/US/E, CIPT

Privacy Law | Data Innovation and Strategy | AI | Technology and Product Counsel

2 年

Wow.

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了