The online advertising industry and its trade body, IAB Europe, have been found to have deprived hundreds of millions of Europeans of their fundamental rights according to the Irish Council for Civil Liberties (ICCL).
The ruling will be announced shortly.
The Belgian Data Authority (the APD) has found that IAB Europe breached GDPR, Europe's data privacy law, with its Transparency & Consent Framework, following a nation by a group of complainants including Panoptykon Foundation (Poland), Stichting Bits of Freedom (the Netherlands), Ligue des Droits Humains (Belgium), Dr Jef Ausloos, Dr Pierre Dewitte, and Dr Johnny Ryan, Senior Fellow at Irish Council for Civil Liberties.
According to Ryan (pictured), “Google and the entire tracking industry relies on IAB Europe’s consent system, which will now be found to be illegal”, said Ryan. “IAB Europe created a fake consent system that spammed everyone, every day, and served no purpose other than to give a thin legal cover to the massive data breach at the heart of online advertising. We hope the decision of the Belgian Data Protection Authority will finally force the online advertising industry to reform”.
The Belgian Data Protection Authority’s decision is a draft decision under the GDPR’s “one-stop-shop” mechanism, however, IAB Europe has effectively conceded. It put out a statement at the end of last week admitting the regulator "will apparently identify infringements of the GDPR by IAB Europe" while also claiming the situation is "fixable" within six months. It did not provide any details about how that might be the case.
"The draft ruling is expected to find IAB Europe to be a data controller for TCF “TC Strings”, the digital signals created on websites to capture data subjects’ choices about the processing of their personal data for digital advertising, content and measurement. The APD is understood to consider these signals to be personal data. It is also expected to find IAB Europe to be a joint controller for TC Strings in the specific context of OpenRTB," according to the industry associations statement.
We have won
The ICCL put out a statement on Friday night saying, "We have won."
According to the ICCL, "IAB Europe designed the misleading “consent” pop-ups that feature on almost all (80 per cent +) European websites and apps. That system is known as IAB Europe’s “Transparency & Consent Framework” (TCF). These popups purport to give people control over how their data are used by the online advertising industry. But in fact, it does not matter what people click."
More damaging for the industry association, however, is the suggestion by the ICCL that "Our evidence reveals that IAB Europe knew that conventional tracking-based advertising was “incompatible with consent under GDPR” before it launched the consent system. This is because the primary tracking-based ad system, called “Real-Time Bidding” (RTB), broadcasts internet users’ behaviour and real-world locations to thousands of companies, billions of times a day. RTB is the biggest data breach ever recorded. There is no way to protect data in this free-for-all."
.png&h=140&w=231&c=1&s=0)
.png&w=120&c=1&s=0)
EDUtech AU
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
