EU Regulators: IAB Europe Is Not in Compliance with GDPR

Belgian investigators are scrutinizing the Belgian-based Interactive Advertising Bureau (IAB) Europe, which they say is responsible for how its members buy, sell and use individuals’ data in digital ads. According to their internal report, Google and other major online advertisers are violating Europe’s General Data Protection Regulation in its auctions. The investigation was prompted by complaints against the use of personal data in the real-time bidding (RTB) component of programmatic advertising.

The Wall Street Journal reports that IAB Europe chief executive Townsend Feehan said the charges “contained some gross misunderstandings of the scope and functionality” of its ad auction role. In 2019, about 6.7 billion euros ($7.85 billion) were spent last year on real-time, online ad bidding.

IAB Europe “also disputed the data-protection authority’s interpretation that it is a data controller with respect to member companies that implement its framework” and stated that the enforcement action was “regrettable.”

Led by Johnny Ryan, senior fellow at the Irish Council for Civil Liberties and Open Markets Institute, activists submitted the complaints that led to the investigation. Ryan said the web is “plagued by consent pop-ups, tens of times a day.” He added that the pop-ups are nothing but “a thin legal veneer over a vast data breach.” In fact, the Belgian report noted that, “a core problem … in online-ad bidding systems is how they collect personal data in circumstances when a user hasn’t consented to share it.”

Ad companies have a GDPR exemption that allows collection of personal data in limited circumstances, but the Belgian report stated that “it shouldn’t apply to personalized advertising.”

The Belgian investigation findings will be sent to the agency’s litigation chamber, which will likely deliver a decision next year. They will also be “be subject to consultation from its EU counterparts, with any disputes decided by a body comprising the privacy regulators in all 27 EU member states.”

WSJ notes that, “Google uses IAB Europe’s framework for auctions it runs to place ads on other companies’ websites but maintains its own framework for ads on its own properties.” Ireland’s privacy regulator is separately investigating Google’s digital ad auction practices.

TechCrunch reports that the complaints against personal data in real-time bidding is that “a system of high velocity personal data trading is inherently incompatible with data security requirements baked into EU law.” The IAB Europe’s pop-up for its Transparency and Consent Framework (TCF) are ubiquitous, asking users to accept or reject ad trackers.

TCF was the response to Europe’s launch of the GDPR in May 2018 and is intended to keep advertisers within the law. But the report from the Belgian data protection agency claims that, “the TCF fails to comply with GDPR principles of transparency, fairness and accountability, and also the lawfulness of processing” nor does it “provide adequate rules for the processing of special category data,” which includes health information, political affiliation, sexual orientation and other sensitive information.

Upon inspection, IAB Europe was also “found not to have appointed a Data Protection Officer, nor to have a register of its own internal data processing activities.”