The Brussels Court of Appeal Upholds Belgian DPA's Decision on the Transparency & Consent Framework (TCF)

The Brussels Court of Appeal Upholds Belgian DPA's Decision on the TCF The Belgian DPA found that the TCF did not meet certain GDPR requirements, leading to a €250,000 fine against IAB Europe.

IAB Europe Qualified as a Controller Under GDPR The Court of Appeal confirmed that IAB Europe is a controller within the meaning of Art. 4(7) GDPR for processing operations within the TCF.

TCF String Qualifies as Personal Data The TC String is considered personal data if combined with additional identifying information, such as the user's IP address.

Failure to Establish a Valid Legal Basis IAB Europe did not establish a valid legal basis under Art. 6(1) GDPR for processing personal data via the TC String.

Framework Fails to Provide Clear and Accessible Information The TCF failed to provide users with clear and accessible information, in violation of Art. 12–14 GDPR.

No Data Protection Impact Assessment Conducted A Data Protection Impact Assessment (DPIA) was not conducted, which is a requirement under GDPR.

Additional Violations of GDPR The Court found additional violations of Art. 5(1)(f), 25, 32, and 37 GDPR, concerning data security, privacy by design, and data protection officer obligations.

TCF Has Room for Improvement The TCF has room for improvement and IAB Europe is committed to ongoing work to strengthen the TCF and ensure it meets the highest standards of data protection.

Uncertainty Regarding IAB Europe's Controller Status There is uncertainty regarding IAB Europe's potential (joint) controller status in relation to the TC String.

GDPR Compliance Remains Crucial for Ad-Tech Ecosystem The importance of GDPR compliance will become increasingly crucial as the ad-tech ecosystem continues to evolve.