Belgium: Issued ruling declaring IAB Transparency and Consent Framework in breach of GDPR

On 2 February 2022, the Belgian Data Protection Authority (APD) issued its decision in the proceedings against Interactive Advertising Bureau Europe (IAB) on the issue of the compliance of the Transparency and Consent Framework (TCF) with the GDPR. The APD has issued IAB Europe with a fine of EUR 250'000 for non-compliance with the GDPR and ordered the deletion of all data held by the IAB and other recipients of the data. The APD has found that the TCF involves the collection and dissemination of personal user preferences and data without obtaining proper consent or lawful basis, constituting breaches of the GDPR on the grounds of lawful processing (Art.6) and the principles of lawfulness and fairness. The TCF is a widely-used mechanism for collecting user consent to data collection, advertising, and cookie use upon visiting websites. Following the APD decision, the data controllers, the website providing advertising space have to disclose if they are using the TCF framework.