Since 2018, IAB Europe has promoted and developed a Transparency and Consent Framework (TCF), allowing publishers to communicate consent information to their advertising partners. Today, this framework is an industry-standard used by many websites or apps in Europe that show ads.
On 2 February 2022, the Belgian Data Protection Authority (APD) issued a decision on IAB Europe and the Transparency & Consent Framework (TCF).
Main findings and sanction
The APD considered some features in the TCF not to be compliant with the GDPR. In particular, the APD decision found that IAB Europe is a data controller for the TC String, which is considered personal data. As a result, several remedies have been imposed, including a fine of EUR 250.000,00 and a requirement to exclude legitimate interests as a legal basis for any TCF purpose. Read the entire decision here →
The decision addressed to IAB is likely to have effects across Europe. However, it doesn’t directly apply to publishers or vendors. Furthermore, the APD decision itself does not conclude that the use of TC Strings or the TCF more broadly is illegal.
Here at iubenda, we will be keeping a close eye on the matter and keeping you updated with any new decisions.
2) Newly Published Documentation
New data protection requirements in Quebec – As of 22 September 2022, the obligations outlined by Quebec’s “Commission d’accès à l’information” come into effect. The Commission indicated that companies must designate a person responsible for protecting personal information, amongst other things. Read more here → (in French)
ANPD issued guidance for government and public sector data processing – The Brazilian Data Protection Authority (ANPD) has published guidelines for the government and public sector data processing under the General Data Protection Law (LGPD). The guidance outlines the legal basis for processing and the relevant principles to be considered by public bodies. Access here →(in Portuguese)
Brazil – The ANPD Board of Directors approved the Regulation of application of the LGPD for small-sized enterprises unanimously. The Regulation aims to make it easier for small-sized enterprises to comply with the General Data Protection Law (LGPD). Read the official notice here →(in Portuguese)
The Italian Data Protection Authority (Garante Privacy) issued fines against two companies of €400,000 and €200,000 for the sending of unsolicited advertising text messages. In addition to the fine, the second company, a marketing service provider, was prohibited from using the data from sources that did not meet the minimum legitimacy requirements, i.e., unverified lists of contacts.
The Spanish Data Protection Authority (AEPD) issued a fine against Vodafone for personal data security breaches, including the unlawful disclosure of personal data to third parties and the failure to implement appropriate technical and organizational measures. Read the decision here →(in Spanish)
4) New and Upcoming Legislation
European Commission to release draft Data Act – Euractiv (pan-European media network specializing in EU policies) reports that the European Commission will introduce the Data Act on non-personal data on 23 February. The law will regulate manufacturers of connected products, digital service providers, and users. Read more on the Commission’s decision here →
5) Strong Impact Tech
Advertisers Demand Antitrust Probe of Google’s Ad-Tracking – Digital advertisers seek a broader German antitrust probe of Google’s news service, potentially deepening scrutiny of how the search engine gathers data. The Movement for the Open Web, a group of companies that prefer to remain anonymous for fear of retaliation from the Alphabet Inc. unit, filed a complaint with the German Federal Cartel Office on 01/02/2022. More information here →
Other key information from the past weeks
The EDPB adopted its opinion on the GDPR-CARPA certification scheme submitted to the Board by the Luxembourg Supervisory Authority (SA).
Advocate General of the Court of Justice of the European Union Giovanni Pitruzzella has issued a favourable opinion on the EU Passenger Name Record Directive and its compliance with EU data protection standards.
US Senators urge President Biden to prioritize the enactment of data privacy legislation at the federal level in 2022, as a follow-up to the introduction of the American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act last year.
US Senators introduced the Algorithmic Accountability Act of 2022, requiring new transparency and accountability for automated decision systems.