A few weeks ago, Belgium’s data protection authority released a decision that is likely to fundamentally alter Europe’s online advertising industry if it becomes enforceable once the legal process has fully played out.
In its 127-page decision, the embattled data protection authority found a consent framework for online advertising developed by IAB Europe, the European trade association of the digital and interactive marketing industry, in violation of GDPR. Stating that its decision would “restore order” in the online advertising industry, the Belgian regulator – which has been roiled by infighting for months – issued the industry body a fine of €250,000 and gave it two months to address its concerns.
“Brave little Belgium has once again shown that it is not afraid to tackle major cases such as this one, which really concerns all European citizens that shop, work or play online,” the privacy enforcer’s chair David Stevens said in a press release.
IAB Europe has appealed the decision before the Belgian Market Court, a specialised court that deals with legal action against market regulators. The odds are in its favour – around 60 to 80% of the Belgian enforcer’s decisions are overruled by the Brussels court.
If IAB Europe’s legal action at the national level fails, the Belgium-based industry body could appeal the decision before the European Court of Justice. This would mean that it could take up to two to three years before the decision – if it is upheld – becomes enforceable.
The February decision has nevertheless caused severe nervousness in the adtech industry due to its unusually broad interpretation of key concepts in Europe’s privacy legislation, lawyers interviewed by Law.com International said.
“The whole ecosystem in itself and the way [the players in it] interact with each other – at least via OpenRTB for example – is being put into question in this decision,” said Tom De Cordier, a partner at CMS’ Brussels office. OpenRTB is a protocol for the instant, automated online auction of user profiles in targeted advertising. IAB Europe developed its framework to help organisations that rely on this widely used protocol to comply with GDPR.
Describing the decision as an existential threat to the adtech sector, De Cordier added: “It looks like [IAB Europe’s] hopes are primarily in a court of appeal decision that might be favourable to them. Because I don’t think there is a realistic, manageable plan B if they have to live up to the high standard the data protection authority has set” in its decision.
The concerns over the decision have been compounded by the fact that the Belgian regulator deliberated with dozens of national privacy regulators as part of GDPR’s coordination mechanism before issuing its decision.
“It’s not only a Belgian DPA decision about what’s happening in Belgium; it’s a Belgian DPA decision that applies cross-border and that has been reviewed by all DPA’s in the EU,” said Cédric Burton, managing partner of Wilson Sonsini Goodrich & Rosati’s Brussels office and global co-chair of the firm’s privacy and cybersecurity practice. “So you can reasonably assume it represents the view of nearly all DPAs in Europe.”
A chief cause of anxiety has been that the Belgian privacy regulator deemed not just IAB Europe, but anyone that uses its framework to be a joint data controller in its decision. This would make publishers, consent management platforms and adtech vendors jointly liable for everything that happens through the framework and open them up to GDPR fines, said Burton.
“All actors in the field are looking at [this] and thinking: ‘Well, if the DPA’s point of view is that we are jointly liable and they find the framework to be unlawful, then we need to make a decision about whether we want to use it, if so how and look at alternatives; or just go for it and take the risk related to using that framework right now,’” Burton explained. “The joint liability point is making everyone very nervous right now.”
The consequences of the broad definition of joint controllership would moreover extend well beyond the adtech industry, Burton added.
“Any company which is setting up frameworks, certification, codes of conduct, any system which allows interoperability – for all these companies, you will end up in a joint controllership situation,” he said.
Burton added: “I have a lot of clients in other sectors which are following this very, very closely and are very concerned by this broad interpretation of joint controllership.”
Another major headache has been that the Belgian regulator held in its decision that the industry group’s framework should no longer rely on legitimate interest as a legal basis for the processing of personal data.
But consent – another legal basis under GDPR – is unworkable given the dynamic nature of and the number of players involved in the online advertising ecosystem, lawyers said.
“Carpet-sweeping consent obtention is not an option” under GDPRD, said De Cordier, adding that many regulators have also held that consent cannot change along the way so to speak.
“You [would] have to log for every single consent who the partners were at the points that particular individual gave his or her consent. This makes it very rigid,” he said. “And the whole idea of this ecosystem is obviously that it can change over time.”
De Cordier added that the decision was likely to accelerate an already ongoing move away from the traditional, cookie-based online advertising model towards other ways of identifying data consumers online, for instance, through their email addresses.
The legal uncertainty that lawyers say the enforcer’s decision has created is unlikely to be resolved any time soon. IAB Europe’s overhaul of its consent framework would likely address only some of the data protection authority’s concerns, Burton said, adding that this could result in new enforcement proceedings by the Belgian regulator and a subsequent appeal from the industry group.
“In parallel to that, you could expect NGOs to look at the Belgian DPA decision and [examine] how they could on their side try to enforce that against companies involved in the adtech sphere.”
The decision – if it is upheld – may also result in a deeply different internet space, said Tanguy Van Overstraeten, a partner in Linklaters’ Brussels office and the firm’s global head of data protection.
“Depending on what is proposed by IAB Europe and what is accepted by the Belgian DPA, the adtech industry may be fundamentally impacted going forward,” he said. “This may ultimately impact the way we use the internet – which is largely free thanks to advertising – [and create] a new ecosystem with those accepting advertising and having free access, versus those paying for access to information so as not to be profiled.”
In face of the uncertainty and the possible changes afoot, most adtech players have adopted a wait-and-see approach, said Thomas Adhumeau, chief privacy officer at Didomi, a French start-up that has developed a consent management platform used by many publishers and advertisers. It is involved in IAB Europe’s efforts to overhaul the framework to meet the Belgian privacy enforcer’s concerns.
But he described the nervousness in the adtech industry around the decision as “massive” and the stakes for the media industry as unprecedented. “We’re talking about publishers that are already struggling at the moment, generating revenues, paying their journalists and creating good content,” he said. With the February decision compounding those existing hurdles, “[it’s] really getting challenging for them,” he said.
If the industry group’s framework were invalidated after the legal process has played out, this would leave publishers and users worse off, according to Adhumeau.
“In a world where the TCF disappears, advertising is still going to be a thing and advertisers are going to want to purchase advertising inventory on publishers’ websites and publishers are going to monetise their websites,” he said, referring to the transparency and consent framework by its acronym. “Only they will probably do it in a less transparent manner.”