The Belgian data protection authority (APD) has issued a draft ruling regarding its ongoing investigation of IAB Europe and its role in the Transparency & Consent Framework (TCF), in response to complaints it received. The investigation was instigated by Dr Johnny Ryan and civil society organisations.
The ruling states that the APD considers ‘TC Strings’ to be personal data and IAB Europe, as manager of the TCF, to be a data controller.
We are aware that this draft ruling may raise questions among some of our members and want to reassure you that the TCF is a valid and compliant cross-industry resource and, if your business is using it, no action is needed from you as a result of the APD’s current ruling.
The draft ruling that has been shared today applies specifically to how IAB Europe manages the TCF, concluding for the first time that it is a data controller and that it must now work with the APD to meet additional requirements as a result. However, it does not apply to the TCF as a whole and it’s important to note that the framework has been conceptually approved by the data protection authority.
We will work closely with IAB Europe to understand and communicate to our members any future changes to IAB Europe’s management of the TCF, as they are agreed with the APD.
We are sharing here IAB Europe’s more detailed statement and should you have any further queries in this respect please email firstname.lastname@example.org