GDPR strains shown in latest business confrontations for European companies
The Belgian Data Protection Authority (DPA) has ruled that the Interactive Advertising Bureau Europe's (IAB Europe) Transparency and Consent Framework (TCF) does not comply with the General Data Protection Regulation (GDPR). This decision highlights ongoing challenges and controversies surrounding GDPR compliance in Europe, particularly regarding the IAB's TCF and Google Analytics.
The GDPR, enacted four years ago, continues to chip away at the very tenets of how the Internet facilitates data flows and communication. The legal uncertainty, technical complexity, and enforcement actions around consent and data transfers have made almost any data collection suspect.
One of the key issues is the validity of consent obtained through the IAB Europe’s TCF, a widely used mechanism for obtaining user consent for targeted advertising cookies and tracking. Critics argue that the TCF does not adequately meet GDPR’s strict standards of freely given, specific, informed, and unambiguous consent. National data protection authorities have raised concerns that the TCF might inadequately separate legitimate interest processing from consent, blurring compliance with GDPR’s requirements.
Another contentious issue is the use of Google Analytics, which has been scrutinised over its transfer of personal data to the United States. Several European Data Protection Authorities have raised concerns about the legality of such data transfers, leading to enforcement actions and bans on the use of Google Analytics in certain EU countries.
Small and medium-sized enterprises (SMEs) continue to experience difficulties complying with GDPR due to its technical complexity and ambiguity. Obtaining valid consent, managing records of processing, and fulfilling data subject rights are costly and hard to implement effectively.
Despite GDPR being a harmonised regulation, enforcement varies by member state. Different supervisory authorities have taken divergent views on the adequacy of consent solutions and the lawfulness of tools like Google Analytics, creating complexity and compliance risks for businesses operating across borders.
The European Commission’s 2025 proposal to simplify certain GDPR provisions aims to ease compliance for SMEs and mid-cap companies by adjusting record-keeping obligations and clarifying risk criteria. However, opinions remain divided on whether this simplification significantly eases the regulatory burden or leaves key controversies unresolved.
The bone of contention is whether IAB Europe is a controller of the data supplied within the TCF, and as such, must abide by various requirements imposed by the GDPR on data controllers. Belgium's data regulator believes that IAB Europe meets the criteria for data controllership because it creates a "voluntary standard" for obtaining consent and determining how user data flows.
Without fundamental reform, the GDPR threatens to render the Internet unusable for commercial purposes in the EU. The ruling makes online advertising in the EU significantly more complicated, as publishers, advertisers, and technology vendors need to find a new solution.
Sources:
- EU Observer
- Forbes
- TechCrunch
- The Register
- The Guardian
Read also:
- VinFast Accelerates Globally, Riding On Vingroup's Technological and Financial Backing
- Interview with Jimmy Mesta, Co-Founder and CTO of RAD Security, on the Real-Time Defense Company
- Exploring Advanced Methods in Creating Virtual Reality Applications
- Transformation of Small Business Operations Accelerated with $4 Million Investment in Agentic AI by UgenticAI
