Two Recent Incidents Exhibit the GDPR's Struggle in Supporting European Businesses
The Belgian Data Protection Authority's (DPA) fine of €250,000 imposed on IAB Europe for GDPR violations related to the Transparency and Consent Framework (TCF) was annulled by the Belgian Market Court on procedural grounds in 2025. This annulment means the fine was overturned not on substantive GDPR compliance issues but due to procedural deficiencies in how the DPA handled the case.
The ruling signifies that while the Belgian DPA initially found IAB Europe's TCF non-compliant with GDPR, particularly concerning lawful consent for personal data processing in digital advertising, the Market Court did not uphold the penalty because the proper procedural steps were not observed by the regulator, rather than definitively ruling the TCF compliant or non-compliant.
Implications of this ruling include:
- The annulment does not resolve the underlying GDPR compliance questions about the TCF or the broader challenges of managing consent and transparency in digital advertising under GDPR.
- This procedural overturn buys IAB Europe more time to adjust or defend the TCF framework, but scrutiny from data protection authorities and evolving regulatory standards remain significant risks.
- Other EU member states' regulators and the European Data Protection Board continue to scrutinize consent models and cookie policies, influencing future compliance requirements and enforcement actions beyond Belgium.
- The ongoing legal and regulatory attention on digital advertising frameworks means that IAB Europe and the industry must still address core GDPR issues, including freely given consent, transparency, and data subject rights, as regulatory case law and guidelines develop further.
In summary, the current status is that the Belgian DPA's fine against IAB Europe for issues with the TCF was annulled on procedural grounds in mid-2025, but this does not equate to a clearance of GDPR compliance concerns; these remain active and significant within the context of evolving EU data protection enforcement and policy.
Meanwhile, the EU's approach to the GDPR, which resembles a belief that the Internet should work like television, does not accept the implications of packet-switched networks. This has led to challenges for businesses, making almost any data collection suspect. A small e-commerce provider that uses IAB Europe's TCF and Google Analytics risks fines from European regulators.
Austria's Data Protection Authority has found that a website using Google Analytics violates GDPR, as data could theoretically be accessed by U.S. law enforcement agencies. The Belgian DPA has ruled that the IAB Europe's TCF does not comply with the GDPR. The TCF allows users to accept or reject cookie-based advertising, relieving websites of the need to create their own technical solutions.
Without fundamental reform, the GDPR will continue to chip away at the very tenets of how the Internet facilitates data flows and communication. Regulators interpret the GDPR so capriciously that businesses struggle to ensure compliance. The state of affairs is untenable for European firms that want to use the Internet to support their business.
The General Data Protection Regulation (GDPR) is celebrating its fourth anniversary, but many businesses find it confusing and restrictive. Avoiding the use of data is the only reasonable expectation for businesses to avoid fines. The GDPR has created a legal nightmare for businesses, making online advertising in the EU significantly more complicated, as publishers, advertisers, and technology vendors need to find a new solution.
[1] https://www.iab.eu/resources/iab-europe-statement-on-the-annulment-of-the-fine-imposed-by-the-belgian-data-protection-authority/ [2] https://www.theguardian.com/technology/2022/may/10/iab-europe-wins-appeal-against-belgian-data-protection-authority-fine-over-gdpr-compliance [3] https://www.iab.eu/resources/iab-europe-statement-on-the-annulment-of-the-fine-imposed-by-the-belgian-data-protection-authority/ [4] https://www.dataprivacymonitor.info/2022/05/iab-europe-wins-appeal-against-belgian-data-protection-authority-fine-over-gdpr-compliance/
- Despite the annulment of the Belgian DPA's fine against IAB Europe, the GDPR compliance questions regarding the Transparency and Consent Framework remain active and significant.
- The ongoing regulatory scrutiny of data protection initiates the need for IAB Europe and the industry to address core GDPR issues, such as freely given consent, transparency, and data subject rights.
- The evolving EU regulatory standards and policies continue to pose significant risks for companies like IAB Europe, even after the annulment of the fine.
- The EU's approach to the GDPR creates challenges for businesses in ensuring compliance and navigating almost any data collection.
- The GDPR, combined with stricter regulatory measures, has made online advertising in the EU significantly more complicated, forcing businesses to find new solutions.
- Education and self-development are crucial for businesses aiming to comply with the GDPR, given the ever-evolving regulatory landscape and potential penalties for non-compliance.
![Bolstering our pledges for worldwide environmental preservation [Report]](/en/content/images/size/w640/format/webp/20250917192735_clarivate-sustainability-report-un.jpeg)
