For these watching the slow motion unpicking of surveillance marketing in the European Union here’s a fresh improvement on the lengthy and winding road to a lengthy-overdue legal reckoning: Multiple grounds for appeal lodged by business physique, the IAB Europe, against a breach obtaining earlier this year against its self-proclaimed “best practice” framework for getting consents from net customers for their information to be processed for behavioral marketing, have been dismissed by the Brussels Market Court of Appeal.
At the similar time, legal concerns have been referred to Europe’s major court connected to a quantity of other appeals grounds — which implies a tough ruling will be coming down the pipe for a flagship element of surveillance adtech’s elaborate machinery in the coming years.
At precise situation right here is a “cross industry” framework specced out and promoted by the IAB Europe, and taken up by scores of publishers and advertisers to claim they’re getting net customers ‘consent’ to ad tracking but which critics argue boils down to elaborate ‘compliance theatre’ — enacting a pantomime of consent to workaround the EU’s privacy laws.
This consent tool, aka the Transparency and Consent Framework (TCF), underlies the majority of irritating ad consent pop-ups that plague net customers in the area — but it was identified in breach of the bloc’s General Data Protection Regulation (GDPR) earlier this year, immediately after a lengthy investigation by Belgium’s information protection authority, confirming what privacy and legal specialists had been warning for years: That majority consent to tracking advertisements is a significant fat lie.
GDPR violations confirmed in the Belgian authority’s choice on the TCF, back in February, cover key principles like the lawfulness of processing fairness and transparency safety of processing integrity of individual information and information protection by design and style and default, amongst other folks.
The IAB Europe itself was also identified to have breached the GDPR. And the on the internet ad business physique was provided a tough deadline of six months to repair a laundry list of violations — though the TCF has been permitted to persist in the meanwhile (so the annoying pop-ups haven’t but gone away).
The IAB Europe responded to the regulatory slap-down by firing up its lawyers and lodging an appeal — in search of to undo the Belgian DPA’s choice by arguing against it from many angles, from claims of procedural unfairness to flat denials that its part or the technologies it steers breach any EU laws.
Simultaneously, in a additional denial of an existential privacy issue with tracking advertisements, the physique mentioned it planned to press on and submit the TCF as a “transnational Code of Conduct”, apparently eyeing. grafting on ‘compliance’ with US regulatory needs (like California’s CCPA). (An related, US-primarily based adtech physique, the IAB Tech Lab, published a draft replacement “global” framework this summer season, named the “Global Privacy Platform“, which it claims “streamlin[es] technical privacy and data protection signaling standards into a singular schema and set of tools which can adapt to regulatory and commercial market demands across channels” — but which critics warn merely repeats lots of of the similar glaring flaws that have landed the TCF in legal hot-water in Europe, so the lack of reforming zeal is palpable.)
But how substantially mileage the IAB can get out of denying legal reality in the EU — exactly where information protection is (at least on paper) extensive and privacy is a basic ideal — is the significant query.
In a initial blow to its appeal against the TCF’s GDPR strikedown, a bunch of its procedural gripes have now been tossed.
Grounds for appeal?
Of eight grounds decided on by the Brussels court at this point in the appeal, 5 have been identified to be totally unfounded — with only two of the final grounds thought of “well-founded in part”, as the Court’s ruling puts it. (Those connected to a obtaining that extra allegations and complaints — centered on no matter whether a mechanism in the IAB’s framework constitutes individual information — have been incorporated into the choice immediately after the hearing devoid of “sufficient diligence”. Although the court stresses that the authority would not have had to open a complete new investigation, as the IAB had argued, so this appears like a relatively minor procedural win.)
The other 5 grounds that the court has decided on at this stage — such as the IAB’s assertion that the complaints have been inadmissible or the authority’s Inspection Report was “incomplete and biased” — have been all dismissed.
However there are but far more grounds lodged by the IAB (the ruling lists nineteen in all). And the appeal is now suspended pending the Court of Justice (CJEU)’s response to legal concerns connected to these grounds.
The referred concerns center on no matter whether or not a per-user consent string passed by way of the TCF constitutes individual information (the IAB argues not but the Belgian DPA decided it did, as the complainants also argue) and no matter whether or not the IAB, which couches itself as a humble business requirements physique, is a joint information controller for the purposes of the TCF and the so-named “TC string” (once more, it argues not but it was identified by the authority to be a joint controller).
“That the Brussels Court of Appeal has referred our questions to the European Court of Justice shows the importance of this case,” mentioned a single of the original complainants, Dr Johnny Ryan, senior fellow at the Irish Council for Civil Liberties, in a statement. “Today’s judgement is the next step in our effort to put an end to the consent pop-ups that have harassed Internet users in Europe for years. We now look forward to the answers from the European Court of Justice and subsequently a judgement on the merits of the Brussels Court of Appeal”.
The CJEU could take a couple of years to create a ruling on these concerns but there’s no route of appeal on what it decides. So the train has now left the station.
There will — in relatively quick order — be a hardened verdict from the court on crux points like no matter whether an entity that devises and promotes mass surveillance adtech infrastructure, and whose guidelines dictate core procedures of this tracking machinery, is capable to evade the complete force of EU privacy law by claiming it is just a requirements physique guv! And on the IAB’s flagship sleight-of-hand — when it claims TC strings are not individual information and do not hyperlink to people ergo there’s no require for a legal basis for processing them anyway — which would be rather the get-out-clause for behavioral advertisements from EU information protection law if permitted to stand by the court.
(The Belgian DPA’s response to that argument was to point out that the TCF hyperlinks the consent string to the user’s IP address, which is certainly thought of individual information below GDPR and that customers of tool are also capable to determine customers by way of other information and that, certainly, the complete point of the TC string is to determine the user.)
At this point it pays to refresh the memory on how the GDPR defines individual information [with added emphasis ours]:
‘personal data’ implies any data relating to an identified or identifiable all-natural particular person (‘data subject’) an identifiable all-natural particular person is a single who can be identified, straight or indirectly, in distinct by reference to an identifier such as a name, an identification quantity, place information, an on the internet identifier or to a single or far more things precise to the physical, physiological, genetic, mental, financial, cultural or social identity of that all-natural particular person
So now EU citizens annoyed by numerous illegal pop-ups ought to hold their breath for a CJEU ruling. (But the finest legal minds in Europe certainly will not require to cogitate for also lengthy to contact out this mulligan.)
Next cease, enforcement?
In the meanwhile, the Belgian DPA could — and genuinely must — restart enforcement of the original order, provided the vast scale of the violations and dangers to Europeans’ basic rights of permitting unlawful mass surveillance by out-of-manage adtech to continue unchecked.
Asked about his expectations for enforcement, Ryan told TechCrunch he’s searching into no matter whether the authority’s choice can now ultimately be applied (a preliminary Belgian ruling on the TCF, also obtaining it in breach of the GDPR, dates back just about two complete years at this point).
“The extension was until the Markets Court decision. So it should be able to apply it now,” he recommended, adding: “The tracking-based online ad industry must reconcile itself to the likelihood that EU data protection law will actually be enforced.”
We also reached out to the Belgian authority and to the IAB Europe with concerns — but neither had responded at press time.
The IAB Europe has posted a statement to its web page about the developments, acknowledging what it refers to as an “interim ruling” and the referral of concerns to the CJEU — which it says it “welcomes”.
“The interpretation of the notions of personal data and controllership embraced by the APD [Belgian DPA] is unnecessarily broad from a consumer protection point of view and has significant negative implications for the development of open standards and the Codes of Conduct foreseen in the GDPR,” added Townsend Feehan, IAB Europe’s CEO, in a canned comment. “It would place an unacceptable financial burden on host organisations, discouraging the development of these important compliance tools”.
In a statement on its web page, the Belgian authority writes that it will “now have to further analyse the ruling before being able to express itself in more detail on its content” but it professes itself “already pleased with this decision, which will further clarify key concepts of the GDPR such as the definition of the concept of data controller, and its applicability to framework designers”.
Hielke Hijmans, chairman of the DPA’s Litigation Chamber, added in a statement: “The IAB Europe case, in which we ruled in February, has an impact that goes far beyond Belgium. That’s why we think it is a good thing that it is being discussed at the European level, at the Court of Justice of the EU.”
The authority goes on to create that its choice has “made an important contribution to the protection of Internet users’ privacy in Europe, through its analysis of the mechanism for recording users’ preferences for targeted online advertising”, additional arguing: “It will raise awareness about online advertising, and especially about the mechanism behind the consent to receive targeted advertising.”
The DPA statement adds that Belgium will “discuss possible next steps with its EU counterparts”.
Which, effectively, sounds a tiny bit like ‘watch this space’…