GDPR enforcer rules that IAB Europe’s consent popups are unlawful – Irish Council for Civil Liberties

tutti i dati raccolti con il TCF sono illeciti e vanno cancellati.

come sapere se lo faranno ?

cosa dovranno fare co in dati che hanno raccolto illecitamente e sulla base dei quali hanno costruito dei profili tramite machine learning ?

devono cancellare anche i modelli generati con dati detenuti illecitamente, direi.

e’ un bel problema.

altro tema che segnalava il prof. Meo è che molte scuole/università usano google classroom. cosa succede se viene stabilita la sua illiceità (non pare impossibile…). forse al ministero dovrebbero prepare un contingency plan, just in case…

Source: ICCL

GDPR enforcer rules that IAB Europe’s consent popups are unlawfulGoogle, Amazon, and the entire tracking industry relies on IAB Europe’s consent system, which has now been found to be illegal following complaints coordinated by ICCL. EU data protection authorities find that the consent popups that plagued Europeans for years are illegal. All data collected through them must be deleted. This decision impacts Google’s, Amazon’s and Microsoft’s online advertising businesses.2 February 2022. (Updated on 5 February with additional detail and infringements)In a decision of 2 February 2022, 28 EU data protection authorities, led by the Belgian Data Protection Authority as the leading supervisory authority in the GDPR’s one-stop-mechanism, found that the online advertising industry’s trade body “IAB Europe” commits multiple violations of the GDPR in its processing of personal data in the context of its “Transparency and Consent Framework” (TCF) and the Real-Time Bidding (RTB) system.The consent popup system known as the “Transparency & Consent Framework” (TCF) is on 80% of the European internet. The tracking industry claimed it was a measure to comply with the GDPR. Today, GDPR enforcers ruled that this consent spam has, in fact, deprived hundreds of millions of Europeans of their fundamental rights.The findings:The TCF consent system was found to infringe the GDPR in the following ways: TCF fails to ensure personal data are kept secure and confidential (Article 5(1)f, and 32 GDPR) TCF fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by online tracking-based “Real-Time Bidding” advertising (Article 5(1)a, and Article 6 GDPR) TCF fails to provide transparency about what will happen to people’s data (Article 12, 13, and 14 GDPR) TCF fails to implement measures to ensure that data processing is performed in accordance with the GDPR (Article 24 GDPR) TCF fails to respect the requirement for data protection by design (Article 25 GDPR) International transfers of the data do not provide adequate protection (Article 44, Article 45, Article 46, Article 47, Article 48, Article 49).[1]IAB Europe negligent The decision says IAB Europe “was aware of risks linked to non-compliance”[2] and “was negligent”.[3]IAB Europe was also found to have failed to fulfil its internal data protection obligations: IAB Europe’s failure to maintain records of data processing (Article 30 GDPR) IAB Europe’s failure to conduct a data protection impact assessment (Article 35 GDPR) IAB Europe’s failure to appoint a Data Protection Officer (Article 37 GDPR)Real-Time Bidding Citing the TCF’s “systematic deficiencies”,[4] the decision found that “the processing operations carried out on the basis of the OpenRTB protocol are not in accordance with the basic principles of purpose limitation and data minimisation”.[5]In addition, it stated:”the TC String plays a pivotal role in the current architecture of the OpenRTB system. Thereby, the TC String supports a system posing great risks to the fundamental rights and freedoms of the data subjects, in particular in view of the large scale of personal data involved, the profiling activities, the prediction of behaviour, and the ensuing surveillance of data subjects.”[6]Further, “consent is not a valid basis for the processing operations in the OpenRTB facilitated by the TCF”.[7]Deletion of data All data collected through the TCF must now be deleted by the more than 1,000 companies that pay IAB Europe to use the TCF. This includes Google’s, Amazon’s and Microsoft’s online advertising businesses.The decision said those who implement the TCF must “take the appropriate measures, in line with Articles 24 and 25 GDPR, ensuring that personal data that has been collected in breach of Articles 5 and 6 GDPR is no longer processed and removed accordingly”.[7][8]

Source: GDPR enforcer rules that IAB Europe’s consent popups are unlawful – Irish Council for Civil Liberties

Ti è piaciuto questo articolo? Condividilo!

Leave a Comment

Your email address will not be published.