Little over a year ago, I felt I had to vent a little. I still stand behind Every. Single. Word.
Now, the data protection authority (DPA) of Belgium adds some adequate (and correctly so, if you ask me) oil to the fire.
The IAB – the Interactive Advertising Bureau in Europe, figured it would be a good idea to facilitate individuals to set their online advertising preferences, managing those choices, and forwarding the data of the users to AdTech companies and such. ‘And such’ should be interpreted as broadly as your imagination allows you. The mechanism for this preference management they call the TCF – Transparency and Control Framework, last overhauled in 2019. In other words, after everyone already could and should have known the details of things like the GDPR.
The Belgian DPA not only hands out a EUR 250K fine, but allows the IAB 2 months to present a remediation plan.
In short, the TCF is not GDPR compliant. And this has to do with legitimate interest (in part).
The DPA found that a suitable legal basis is missing for processing and forwarding people’s data to adtech partners. Especially because, hey, what did the individuals really know? There was insufficient information provision to users. Aside from general noncompliance around ‘by design’ protection, there was also no (or at least insufficient) assessment by the IAB as to the actual GDPR compliance of those connecting to the ad network. The DPA has thus told the IAB to from now on include such assessment, but more importantly, the DPA ruled on a prohibition on the use of legitimate interest as a basis.
Now I’d like to see how they’re going to handle that one. Not only because I like to see creativity and innovation to truly solve a problem in a gentleman-like manner to the people whom this pertains to. Also because of the pesky tracker-consent-management-popus that have the audacity to list a dozen or more purposes, PRE-CHECK the legitimate interest box for it, and add a ‘consent’ checkbox for the exact same thing.
I fear the day we deal with ‘consent’ in a polite and genuine way, truly with the individual’s best interest at heart, is still quite some time in the future. Let’s just hope such day is indeed in the books, lest we can only read about it in English novels of fiction from the old days.
(EDIT: This is not a rant against legitimate interest as a foundation, but a view against how it is often used overly broadly. There certainly are ways in which the legal ground can be used effectively, such as for example demonstrated in a ruling by the Court of first instance in Rotterdam, Netherlands. An employee, whose image is still used as part of promotion material, has to accept continued usage of such image also after termination of employment based on the legitimate interest of, in casu, Coolblue as data controller.)