A flagship framework for gathering Internet users’ consent for targeting with behavioral ads — which is designed by ad industry body, the IAB Europe — fails to meet the required legal standards of data protection, according to findings by its EU data supervisor.

The Belgian DPA’s investigation follows complaints against the use of personal data in the real-time bidding (RTB) component of programmatic advertising which contend that a system of high velocity personal data trading is inherently incompatible with data security requirements baked into EU law.

The IAB Europe’s Transparency and Consent Framework (TCF) can be seen popping up all over the regional web, asking users to accept (or reject) ad trackers — with the stated aim of helping publishers comply with the EU’s data protection rules.

It was the ad industry standard’s body’s response to a major update to the bloc’s data protection rules, after the General Data Protection Regulation (GDPR) came into application in May 2018 — tightening standards around consent to process personal data and introducing supersized penalties for non-compliance — thereby cranking up the legal risk for the ad tracking industry.

The IAB Europe introduced the TCF in April 2018, saying at the time that it would “help the digital advertising ecosystem comply with obligations under the GDPR and ePrivacy Directive”.

The framework has been widely adopted, including by adtech giant, Google — which integrated it this August.

Beyond Europe, the IAB has also recently been pushing for a version of the same tool to be used for ‘compliance’ with California’s Consumer Privacy Act.

However the findings by the investigatory division of the Belgian data protection agency cast doubt on all that adoption — suggesting the framework is not fit for purpose.

The inspection service of the Belgium DPA makes a number of findings in a report reviewed by TechCrunch — including that the TCF fails to comply with GDPR principles of transparency, fairness and accountability, and also the lawfulness of processing.

It also finds that the TCF does not provide adequate rules for the processing of special category data (e.g. health information, political affiliation, sexual orientation etc) — yet does process that data.

There are further highly embarrassing findings for the IAB Europe, which the inspectorate found not to have appointed a Data Protection Officer, nor to have a register of its own internal data processing activities.

Its own privacy policy was also found wanting.

We’ve reached out to the IAB Europe for comment on the inspectorate’s findings. Update: See the base of this article for a first response. Update 2: The ad standards body has now published a statement here in which it describes the TCF as a “voluntary standard” that contains “a minimal set of best practices”. It also says it “respectfully disagree[s] with the [Belgian DPA]’s apparent interpretation of the law, pursuant to which IAB Europe is a data controller in the context of publishers’ implementation of the TCF”, adding: “If upheld, the [Belgian DPA]’s interpretation would have a chilling effect on the development of open-source compliance standards that serve to support industry players and protect consumers.”

A series of complaints against RTB have been filed across Europe over the past two years, starting in the UK and Ireland.

Dr Johnny Ryan, who filed the original RTB complaints — and is now a senior fellow at the Irish Council for Civil Liberties — told TechCrunch: “The TCF was an attempt by the tracking industry to put a veneer or quasi-legality over the massive data breach at the heart of the behavioral advertising and tracking industry and the Belgian DPA is now peeling that veneer off and exposing the illegality.”

Ryan has previously described the RTB issues as “the greatest data breach ever recorded”.

Last month he published another hair-raising dossier of evidence on how extensively and troublingly RTB leaks personal data — with findings including that a data broker used RTB to profile people with the aim of influencing the 2019 Polish Parliamentary Election by targeting LGBTQ+ people. Another data broker was found to be profiling and targeting Internet users in Ireland under categories including “Substance abuse”, “Diabetes,” “Chronic Pain” and “Sleep Disorders”.

Following the filing of RTB complaints, the UK’s data watchdog, the ICO, issued a warning about behavioural advertising in June 2019 — urging the industry to take note of the need to comply with data protection standards.

However the regulator has failed to follow up with any enforcement action — unless you count multiple mildly worded blog posts. Most recently it paused its (still ongoing) investigation into the issue because of the pandemic.

In another development last year, Ireland’s DPC opened an investigation into Google’s online Ad Exchange — looking into the lawful basis for its processing of personal data. But that investigation is one of scores that remain open on its desk. And the Irish regulator continues to face criticism over the length of time it’s taking to issue decisions on major cross-border GDPR cases pertaining to big tech.

There are still several steps to go before the Belgian DPA takes (any) action on the substance of its inspectorate’s report — with a number of steps outstanding in the regulatory process.

But, per the complainants, the inspectorate’s findings have been forwarded to the Litigation Chamber, and action is expected in early 2021. Which suggests privacy watchers in the EU might finally get to uphold their rights against the ad tracking industry/data industrial complex in the near future.

For publishers the message is a need to change how they monetize their content: Rights-respecting alternatives to creepy ads are possible (e.g. contextual ad targeting which does not use personal data). Some publishers have already found the switch to contextual ads to be a good news story for their revenues. Subscription business models are also available (even if not all VCs are fans).