Citing the TCF’s “systematic deficiencies”,[4] the decision found that "the processing operations carried out on the basis of the OpenRTB protocol are not in accordance with the basic principles of purpose limitation and data minimisation".[5]
In addition, it stated:
"the TC String plays a pivotal role in the current architecture of the OpenRTB system. Thereby, the TC String supports a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance of data subjects."[6]
Further, “consent is not a valid basis for the processing operations in the OpenRTB facilitated by the TCF”.[7]
Deletion of data
All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.
The decision said those who implement the TCF must “take the appropriate measures, in line with Articles 24 and 25 GDPR, ensuring that personal data that has been collected in breach of Articles 5 and 6 GDPR is no longer processed and removed accordingly”.[7][8]
Background
These findings are the result of proceedings initiated by complainants at the Belgian Data Protection Authority, coordinated by the Irish Council for Civil Liberties. The group of complainants includes: Dr Johnny Ryan of the Irish Council for Civil Liberties, Katarzyna Szymielewicz of the Panoptykon Foundation (Poland), Stichting Bits of Freedom (the Netherlands), Ligue des Droits Humains (Belgium), Dr Jef Ausloos, and Dr Pierre Dewitte. The Belgian procedure follows complaints about the insecurity of the online advertising “Real-Time Bidding” (RTB) system that Dr Ryan initiated in 2018.
The decision was made by the Belgian Data Protection Authority in agreement with 27 other EU data protection authorities, and is immediately binding and enforceable across the European Union under the GDPR’ “one stop shop” mechanism.
“This has been a long battle”, said Dr Johnny Ryan of the Irish Council for Civil Liberties. “Today’s decision frees hundreds of millions of Europeans from consent spam, and the deeper hazard that their most intimate online activities will be passed around by thousands of companies”.
We wish to thank our lawyers, Frederic Debusseré and Ruben Roex of Timelex.
We are reading the decision in detail, and will publish our more detailed analysis at a later point.
Full decision here:
Notes
[1] Paragraph 490 of decision.
[2] Paragraph 547 of decision.
[3] ibid.
[4] Paragraph 546 of decision.
[5] Paragraph 429 of decision.
[6] Paragraph 545 of decision.
[7] Paragraph 495 of decision.
[8] Paragraph 535 of decision.