Tech & Telecom Weekly - February 7, 2022

Welcome to the Tech & Telecom Weekly, an e-newsletter keeping you apprised of the latest developments in the telecommunications and high-tech industries.

---

FTC Items

The FTC and the Department of Justice jointly are seeking comments on the current version of the Merger Guidelines with an eye toward “strengthening enforcement against illegal mergers.” The Request for Comment outlines the several items on which the agencies seek input, expressly culling out how mergers in digital markets should be reviewed and what effect mergers have in the labor market. Comments are due March 21, 2022. For more information, please contact Stephanie Joyce.

---

Privacy

The Belgian Data Protection Authority has ruled (unofficial copy) that IAB Europe’s Transfer and Consent Framework, an integral element to its Real-Time Bidding program, violates numerous provisions of the EU’s General Data Protection Regulation by engaging in large-scale processing of personal data for online profiling and targeted advertising purposes.  The vast majority of European websites, including those of U.S. firms operating in Europe, use the IAB Europe’s TCF service to provide advertising support for the website.  The decision means, in effect, that the IAB Europe TCF system has violated the rights of millions of E.U. residents.

IAB Europe provides an ecosystem within which user consent, objections, and preferences are used and exchanged to facilitate advertising by third parties.  The TCF serves that ecosystem by providing a technical means for collecting and storing user preferences. 

Among the GDPR violations found were that: (1) the data processing by IAB Europe’s programs of user preferences does not have a valid legal basis, because the asserted legitimate interest of participating entities are outweighed by the interests of the data subject; (2) that IAB Europe had failed to keep track of processing operations adequately or to appoint a Data Protection Officer; (3) had failed to ensure that personal data were kept secure; and (4) had failed to provide sufficient notice regarding likely international data transfers.  The DPA rejected IAB Europe’s claim that many of these GDPR provisions do not apply to it because it is a trade association, finding instead that the organization is a data controller that in fact manages the profiling tools and has access to the personal information that they collect.  

The Belgian DPA ordered IAB Europe to delete all personal data collected by the TCF up to now and to bring the TCF into compliance with the GDPR within in 6 months.  It also imposed a fine of 250,000 Euros, which was about 10 percent of IAB Europe’s annual revenue. 

This decision could have an immediate – and disruptive -- impact on the advertising support for websites operating in the E.U.  Unless stayed, the decision, which applies throughout the E.U., is to take effect immediately.  IAB Europe has 30 days in which to appeal to the Belgian Market Court.  

For more information, please contact William Baker.

---

Note: This publication is distributed with the understanding that the author, publisher and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.