In a decision of 2 February 2022, the Belgian Data Protection Authority found the “Transparency and Consent Framework” (TCF) created by IAB Europe to be illegal. The vast majority of online operators in the EU, including Amazon, Google and Microsoft, rely on TCF as a tool for their GDPR compliance. According to the decision, all personal data processed on the basis of the TCF should be deleted. This crucial decision was made by the Belgian Data Protection Authority as the so-called lead supervisory authority under Art. 56 GDPR in agreement with 27 other EU data protection authorities from 19 countries, including the Czech Office for Personal Data Protection.
The decision cites the following as the main reasons for the TCF’s illegality:
1) Lack of a legal reason for processing – the legitimate interest is not permissible and the consent does not meet the requirements under the GDPR;
2) Breach of the transparency obligation, in particular in the sense that data subjects are not provided with adequate information on what will happen to their personal data;
3) Insufficient technical and organizational measures to ensure the security of processing and the integrity of personal data, violation of the principles of “data protection by design & by default”;
4) Lack of records of processing activities in relation to the processing in question;
5) Failure to conduct a data protection impact assessment (DPIA);
6) Failure to appoint a Data Protection Officer (DPO).
The Data Protection Authority ordered a number of remedial measures, in particular all related personal data have to be deleted and all recipients of personal data must be informed of these measures.
The evident non-compliance of the TCF with the GDPR has been the subject of expert discussions for several years. In this sense, the ruling is not surprising. It is possible that IAB Europe will challenge the decision in court. It is also likely that there will be an effort to modify the TCF.
This decision shall strengthen the long-term effort to find and enforce new rules of the online environment so that it corresponds to people’s needs and respects their fundamental right to privacy. Full decision is available here.