Pulse on Policy – From Across the Pond

This month’s policy round up is turning its focus on the EU and some noteworthy developments that we are keeping an eye on in case they venture across borders. 

  • Europe First to Pass AI Data Act 
  • Court Ruling in IAB TCF Case 
  • Consent or Pay Models in the Spotlight   

Europe First to Pass AI Data Act 

Regulating both generative and predictive AI models, the EU AI Act was approved by European Parliament on March 13, 2024, and will be the world’s first comprehensive law regulating AI. While we wait for the passing of AIDA here in Canada, the EU Act will impact members operating in the EU. 

Key considerations include: 

  • Risk-Based Approach: Regulating roles throughout the AI lifecycle the Act dictates that the greater the potential risk (probability of an occurrence of harm and the severity of that harm) the greater the compliance obligations. It also introduces a new right that allows individuals to obtain from the deployer a “clear and meaningful” explanation of the role of the AI system in the decision-making process where they have been subject to a decision on the basis of a high-risk AI system, which produces legal effects or which significantly impacts their fundamental rights – this could be used in cases such as performance management or termination decision. 
  • Cross border obligations: Not unlike the GDPR, the EU’s AI Act’s scope will cross borders, and international companies (even if outside of the EU) could find themselves subject to the obligations. 
  • Penalties for Non-compliance: Getting it wrong will cost business with fines of up to EUR 35 million or 7% of the company’s global annual turnover in the previous financial year (whatever is higher). 

Court Ruling in IAB TCF Case  

IAB Europe had appealed the February 2022 decision by the Belgian Data Protection Authority (APD) against IAB Europe and the Transparency & Consent Framework (TCF) leading the APD to refer to The European Court of Justice (CJEU) on two specific matters – whether the TC string contained personal data and whether IAB Europe would be characterized as a data controller.  The recent ruling in provided clarity on both fronts.  

Key findings included: 

  • TC Strings (digital signals containing user preferences) constitute personal data, even from the perspective of IAB Europe, when they can be linked with reasonable means to an identifier such as for instance the IP address of the device of the user and IAB Europe can have access to such data 
  • IAB Europe can be viewed as a joint controller together with TCF participants in relation to the creation and use of TC Strings by publishers and vendors, on the basis that the TCF provides specifications for its processing, if IAB Europe actually influences the processing (purposes and means) for its own reasons. 
  • IAB Europe should not necessarily be viewed as a joint controller together with TCF participants in relation to the subsequent data processing performed in pursuit of the TCF purposes, such as digital advertising, audience measurement, or content personalisation since IAB Europe has no influence on such processing. The CJEU conclusion on the latter is particularly important, as the APD’s erroneous controllership qualification of IAB Europe over such processing served as a basis for the authority’s assessments of the validity of legal bases established through the TCF and corresponding sanctions. 

The Belgian Market Court will now resume its examination of IAB Europe’s arguments with the clarity given by the CJEU. This could take several months. In the meantime, it’s business as usual for the TCF which continues to be fortified with relevant updates.  

Consent or Pay Models in the Spotlight  

Consent or Pay models are causing a stir, with the Norwegian and Dutch Data Protection Authorities questioning the ethics and even the legality of the pressure on consumers to consent. In the UK regulators are taking their time to form a position and have called for a consultation on the practice. This week in the EU, IAB Europe, Alliance Digitale, IAB Italia, and IAB Spain have sent a joint letter to the European Data Protection Board (EDPB) asking for the same approach and have highlighted some important considerations in the context of the EDPB’s upcoming Opinion and subsequent Guidelines on the “Consent or Pay” model, and to request a public consultation. 

The letter expresses the view that to properly address the concerns and interests of all relevant stakeholders, the regulator needs to consider the different interests and fundamental rights at stake to strike the appropriate balance between the right to data protection and the freedom to conduct business before forming a position. If you are not up to speed on Consent or Pay take a listen to IAB Canada member Sourcepoint’s recent webinar on the “Evolution of Consent or Pay: Legal Insights and Best Practices.”