IAB Europe case results in mixed decision
IAB Europe and Belgium’s data protection authority have each claimed a ‘partial victory’ in the latest court decision over whether the IAB is liable for personal data processing over the online ad tools the industry group provides for the market, Telecompaper reports. The Belgian Market Court has annulled the regulator’s 2022 decision due to procedural irregularities, notably the fact that the regulator failed to adequately justify why it considered TCF (Transparency and Consent Framework) Strings as personal data. Nevertheless, the 250,000 fine against IAB Europe was upheld.
In IAB Europe’s view, the court has rejected that it is a joint controller together with TCF participants for their own respective processing of personal data for digital advertising, in line with the CJEU judgment from 2024. The court upheld only part of the decision, namely that IAB Europe is a joint controller together with TCF participants solely regarding the creation and use of TC Strings by publishers and vendors. The IAB said it has a solution to the concerns expressed by the court that is ready for implementation.
The Belgian regulator takes a different view, believing that the court ruling means that the TC String is personal data within the meaning of the GDPR and that IAB Europe acts as a joint data controller for the processing of user preferences within the TCF. However, the court annulled the decision from 2022 on procedural grounds. The ruling should have a lasting impact on the online ad industry and its real-time bidding systems in the EU, the regulator added. The Irish Council for Civil Liberties has even suggested that tracking-based advertising by Google, Microsoft, Amazon, and X, across Europe, now has no legal basis for personal data processing.
Stay up to date! Sign up to receive our fortnightly digest via email.
More official guidance
Schools’ data: The education sector processes a lot of personal data: school registrations, an extensive digital work environment, and pedagogical follow-up of students. This data can be subject to data breaches, and news reports show that schools are not spared from these incidents. Over the past five years, the CNIL has only been notified of about thirty data breaches per year in the first and second degrees. However, during its interventions in the field, the regulator noted that this figure does not reflect the daily reality of educational establishments. The CNIL has identified several reasons that may explain this under-declaration:
- It is not always easy to identify what constitutes a “data breach”.
- The procedure to follow in the event of a data breach is sometimes unknown to operational personnel.
- The system of responsibility for processing implemented in the national education sector is complex.
To that end, the French CNIL offers two new guides (in French) for data protection officers, school principals, school heads and administrative staff to help them react in the event of a personal data breach.
GDPR and AI equation: The Swiss data protection regulator FDPIC reminds us that, because of the rapid increase in AI-supported data processing, regardless of future regulations, the data protection provisions already in force must be complied with. In particular, the Federal Data Protection Act, which has been in force since 1 September 2023, is directly applicable to AI-supported data processing. The FDPIC alerts manufacturers, providers and users of such applications that, when developing new technologies and planning their use, they are required by law to ensure that data subjects have the highest possible degree of digital self-determination.
NIS2 guidance
The European Union Agency for Cybersecurity has developed the European Vulnerability Database as provided for by the NIS2 Directive. The EUVD service now openly provides aggregated, reliable, and actionable information such as mitigation measures and exploitation status on cybersecurity vulnerabilities affecting Information and Communication Technology (ICT) products and services. The aggregated information of the database is displayed through dashboards: for critical vulnerabilities, for exploited ones, and for EU-coordinated ones. The EU Coordinated Vulnerabilities lists the vulnerabilities coordinated by European CSIRTs and includes the members of the EU CSIRTs network.
Cookie consent
The Norwegian data protection authority summarises the main steps for companies to follow in order to meet the requirements for voluntary, explicit, informed, and unambiguous consent. The list also outlines what companies must and should not do. The Norwegian Storting passed a new Electronic Communications Act that came into force on 1 January 2025. The rules set clearer requirements for businesses that use cookies and similar technologies:
- Provide unambiguous information in the consent box
- Fill out the consent banner with complete information
- Do not make access to the website or service conditional on consent
- Let the user choose which purposes they will consent to or not
- Don’t use pre-ticked boxes or acceptance by inaction
- Don’t make opting out of consent require extra clicks or be more laborious
- Don’t hide the option to decline consent, or give it a lower attention value
- Use clear and simple wording in buttons or similar design solutions
- Make it easy to withdraw consent and inform about this.
More from supervisory authorities
AI literacy: The European Commission has published an AI Literacy Q&A. Art. 4 of the AI Act requires providers and deployers of AI systems to ensure sufficient AI literacy of their staff and other persons dealing with AI systems on their behalf. The implementation plan for organisations may be built on the following steps:
- In which sector and for which purpose/service is the AI system being used? What are its opportunities and dangers?
- Consider the role of the organisation: is my organisation developing AI systems or just using AI systems developed by another organisation?
- What do employees need to know when dealing with such AI system? What are the risks they need to be aware of, and do they need to be aware of mitigation?
EU Merger: The Commission also seeks feedback on the review of EU merger guidelines dating from 2004 and 2008. It should reflect the economic changes such as digitalisation, globalisation, innovation, as well as the case practice and the case law developed over the past 20 years by the Court of Justice of the EU. Any interested citizen, business or association can contribute by replying to the general public consultation questionnaire available here until 3 September.
Space systems security: In Germany, the Federal Office for Information Security, in collaboration with representatives of the national information security and space industries, has developed the second part of the Technical Guideline, (BSI TR -03184), on securing space systems. A space system comprises the space and ground segments. The focus of this publication is on the ground segment. Business processes across the entire life cycle of a ground segment, from conception to decommissioning, were considered. It identifies hazards for various future space mission processing and assigns risk management measures.
Receive our digest by email
Sign up to receive our digest by email every 2 weeks
GDPR simplification plans
The European Commission has consulted the EDPB and EDPS on a proposal to introduce further exemptions from the GDPR’s obligation to keep records of personal data processing for SMEs. The exemption, which currently applies to companies with fewer than 250 employees, is proposed to be extended to companies with fewer than 500 employees. The EDPB and EDPS shared the opinion that, at this stage, they could express preliminary support to this targeted simplification initiative, bearing in mind that this would not affect the obligation of controllers and processors to comply with other GDPR obligations. In parallel, the EU is already working on finalising a new law to speed up the procedural rules for privacy regulators to coordinate on major GDPR cases in Big Tech.
Data brokers
The UK Department for Science, Innovation and Technology closed a call for evidence on data brokers and their impact on national security. This inquiry concerns the activities involved in facilitating access to UK data (including data on UK persons, businesses, infrastructure, etc). This is via data brokerage, where pre-packaged or bespoke datasets can be obtained at speed and scale. To support policy development, the government wanted to identify several main points: a) the definition and services of data brokers, b) national security risks associated with the data broker industry, c) the effectiveness of data brokers’ security and governance frameworks, and d) a breakdown of brokers’ customer base.
Record year for data breaches
The Australian Information Commissioner stated that businesses and government agencies reported more than 1,100 data breaches to the regulator and the public in 2024 – the highest annual total since mandatory data breach notification requirements started in 2018, and a 25% increase from 2023. Malicious and criminal attacks have been the main source of breaches. Health service providers and the Australian government again reported the most data breaches of all sectors, (20% and 17% of all breaches, respectively), highlighting that both the private and public sectors are vulnerable. The report also shows that the public sector continues to lag behind the private sector in the time taken to identify and notify data breaches, despite some improvements in timeliness.
Road cameras
The Estonian Data Protection Inspectorate sent an appeal to the Ministry of the Interior, drawing attention to the inadequacy of the legal basis for the license plate recognition cameras used in the preventive activities of the Police and Border Guard Board. In the regulator’s opinion, the processing of personal data using these cameras is not based on a sufficiently clear and specific legal basis. The Inspectorate has initiated a supervisory procedure to clarify how data is processed in the police database POLIS and whether it meets data protection requirements.
In other news
Workers’ data: Bird&Bird research examines the German Federal Labour Court’s judgment to award an employee non-material damages of 200 euros after the employer put additional personal data into the “Workday” HR management software outside the agreed-upon limitations of a completed work agreement. The parties specified which data might be submitted for testing purposes. Because the agreed-upon restrictions had been exceeded, the employer could not rely on the work agreement as the legal basis.
Aggressive telemarketing: The Italian privacy regulator Garante has imposed millions of euros in fines and stringent corrective measures against Acea Energia Spa and a network of agencies and companies. All were involved in a massive system of procurement of contracts for the activation of electricity and gas supplies based on aggressive telemarketing practices and illicit processing of personal data. The investigations revealed significant evidence of illicit activities carried out through the use of lists of users who had recently changed energy suppliers. The call-centre operators contacted these users, mentioning non-existent technical problems in switching between suppliers and, fearing risks of economic damage, induced them to activate a new supply.
Geolocating remote workers: An employer cannot geolocate employees in smart working. This was also stated by the Italian Garante in imposing a fine of 50 thousand euros on a company that detected the geographic position of about one hundred employees during the work activity carried out in agile mode. The investigation revealed that the company monitored its employees to verify the exact correspondence between their geographic location and the address declared in the individual smart working agreement. These checks were then followed by disciplinary proceedings by the company. This all took place in the absence of an appropriate legal basis and adequate information, in addition to the consequent interference in the private lives of employees.
In case you missed it
NOYB vs Meta AI: The privacy advocacy group NOYB has sent Meta a formal settlement proposal, ‘cease and desist’ letter, over Europe-wide AI training. After this, if the injunctions are filed and won under the new EU Collective Redress Directive, Meta may also be liable for damages to consumers. Damages could reach billions. Meta has announced it will use EU personal data from Instagram and Facebook users to train its new AI systems from 27 May onwards. Instead of asking consumers for opt-in consent, Meta relies on an alleged ‘legitimate interest’ and offers users the possibility to object to the processing before the training has started.
Facebook data leak compensation: Meanwhile, Facebook users in Germany whose data was affected by the data breach that came to light in 2021 can now join the class action lawsuit filed by the German Federation of Consumer Organisations. This follows a ruling by the Federal Court of Justice in November 2024, according to which the mere loss of control over personal data can justify a claim for damages regardless of any other disadvantages. The court considers an amount of 100 euros to be appropriate for this purpose. In serious cases, for example, when sensitive data such as date of birth, relationship status, or email address has been made public, the consumers can seek compensation of up to 600 euros. Those affected can use a dedicated complaint form to see if participation is an option for them and register the complaint.