Belgian DPA finalizes draft IAB decision

Julie Rubash, Chief Privacy Counsel
November 30, 2021

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.



The Belgian DPA announced that it has finalized and sent to its European counterparts a draft decision regarding compliance by IAB Europe’s Transparency & Consent Framework (TCF) with GDPR. According to the announcement, 27 supervisory authorities have indicated their willingness to be involved in the procedure. The DPAs will have a period of 4 weeks to provide feedback, after which the decision will either be finalized, revised or sent to dispute resolution.


A copy of the draft decision has not been made public, but IAB Europe issued a statement earlier this month revealing that the draft opinion was expected to find the “TC Strings” that are passed through the TCF to constitute personal data controlled by IAB Europe under the GDPR. The willingness of 27 DPAs to be involved in the procedure indicates the anticipated implications of the decision across Europe, but it’s unclear at this point whether the DPAs will align with or dispute the decision. 

ICO Issues Privacy Standards for Adtech

The UK Information Commissioner’s Office (ICO) published an Opinion detailing its expectations for new online advertising initiatives posed by Google and other market participants, encouraging such participants to demonstrate how their proposals meet such expectations. The Opinion suggests that all new initiatives should engineer data protection requirements by default, offer users the choice of receiving ads without tracking, profiling or targeting based on personal data, be transparent about how and why personal data is processed across the ecosystem and who is responsible for the processing, articulate the specific purposes for processing personal data and demonstrate how that is fair, lawful and transparent, and address existing privacy risks and mitigate any new privacy risks that their proposal introduces.


In addition to setting out the ICO’s expectations for new initiatives, the ICO provides its insights into certain existing initiatives, including that the TCF and its use by publishers has not significantly addressed concerns previously posed by the ICO and that Global Privacy Control (GPC) does not appear to offer a means by which user preferences can be expressed in a way that fully aligns with UK data protection requirements. The ICO also warned that identifier-based solutions may not sufficiently address the ICO’s issues regarding transparency, control, consent or accountability, pointing out that PECR applies if terminal equipment information is processed, regardless of whether the information is personal data, and that identifier-based solutions involving the original email address may not result in effective pseudonymisation. Overall, the ICO made clear that solutions seeking to preserve “business as usual” will not meet their expectations and that the industry “must recognise the need for change”. 

Google Makes Updated Privacy Commitments to the CMA

The UK Competition and Markets Authority (CMA) revealed eight new commitments offered by Google to address the CMA’s concerns with Google’s Privacy Sandbox proposals. Among other commitments, Google agreed to clarify internal limits on data Google can use, provide greater certainty to third parties developing alternative technologies, report regularly to the CMA on how Google has taken account of third party views and to maintain its commitments for 6 years from acceptance by the CMA. The CMA will consult on the commitments until December 17, after which, if the commitments are accepted, the CMA will close its investigation


The CMA has been investigating Google’s proposals for almost a year. Google offered a previous set of commitments in June 2021, to which the CMA responded with several concerns, resulting in the current set of updated commitments. If the CMA accepts the commitments, they will become legally binding, forcing Google to maintain an ongoing 6-year reporting relationship with the CMA. ure indicates the anticipated implications of the decision across Europe, but it’s unclear at this point whether the DPAs will align with or dispute the decision. 

CNIL Issues Guidelines for Alternatives to 3PC

The French DPA (CNIL) published guidelines regarding alternatives to third-party cookies, reminding companies that such ad targeting innovations must “always be compliant with the data protection legal framework, especially, the rules regarding consent and the rights of data subjects.” The guidelines walk through concepts of first-party cookies, fingerprinting, single sign-on, unique identifiers and cohort-based ad targeting and highlight the importance of allowing users to keep control over their data, avoiding the processing of sensitive data, and remaining responsible for the implementation of tracking techniques.


Like the ICO privacy standards mentioned above, the CNIL guidance stresses that, regardless of whether personal data are processed, access to the user’s terminal equipment for storing or recording information for non-strictly-necessary purposes requires prior written consent. In other words, removal of third-party-cookies, or even personal data, from ad targeting doesn’t necessarily eliminate a company’s obligations under GDPR, ePrivacy and other privacy laws.   


India Data Protection Bill Moves Forward

India’s Joint Parliamentary Committee reportedly adopted a draft report on the Personal Data Protection Bill 2019, moving the bill forward for presentation in the Winter Session of Parliament. 


This bill is almost two years in the making. The panel finalized a previous draft report last year, but consultations were reopened in September when a new chairman the the Joint Parliamentary Committee made several changes to the bill, including expanding certain provisions to cover both personal and non-personal data. This latest version reportedly contained some last-minute changes regarding government agency exemptions and application to social media platforms. 

UAE adopts data protection law

The United Arab Emirates President reportedly approved, as part of a larger legislative package, a comprehensive Data Protection Law that, among other provisions, prohibits the processing of personal data without consent, imposes certain security and data-transfer obligations,  and extends user rights to correct, restrict and opt out of the processing of personal data. The President also approved a law to establish the UAE Data Office dedicated to the protection of personal data. 


The Data Protection Law is the UAE’s first-ever comprehensive data privacy law at the federal level. Certain free trade zones of the UAE previously had data protection regimes, but until now, there has been no law or central regulator at the national level, which had left onshore areas under federal jurisdiction without data privacyprotection. Some speculate adoption of the federal Data Protection Law may lead to an adequacy decision for data transfers from the European Union. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

What are the privacy laws in Canada?

June 6, 2024

Everything you need to know about PIPEDA and Quebec’s...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]