February 3, 2022
Written by
Magali Feys
Belgian DPA Highlights IAB’s Failure to Provide Technical Controls (e.g. GDPR-Compliant Pseudonymisation) to Satisfy Legitimate Interests Processing LinkedIn Logo

Belgian DPA Highlights IAB’s Failure to Provide Technical Controls (e.g. GDPR-Compliant Pseudonymisation) to Satisfy Legitimate Interests Processing

One of the key takeaways from the Belgian DPA’s invalidation of IAB Europe’s Transparency and Consent Framework (TCF) is the failure by the IAB to provide technical controls (such as GDPR-compliant Pseudonymisation) to mitigate the risks to data subjects as required to satisfy the Balancing of Interests test necessary for lawful Legitimate Interest Processing.

Consent is an absolute requirement under the ePrivacy Directive, not for all processing, but for storing as well as accessing stored data and many aspects of direct marketing using electronic communications.[1] Non-consent GDPR-compliant lawful bases, in particular Legitimate Interests processing, remain available for other processing such as data analysis, Artificial Intelligence (AI), or Machine Learning (ML) not otherwise supportable using consent.

Both historically and continuing up to the present, the legal ground of Legitimate Interests has been misused and misapplied for processing personal data to the benefit of data controllers and the detriment of data subjects. Several key industry players and commentators - including the IAB itself - have noted that:

"It is self-evident that companies cannot treat their business needs / the pursuit of their business models as synonymous with ‘legitimate interests’. The mere fact that a data controller may desire to engage in intrusive profiling in order to make money off its services is not sufficient. As Recital (47) of GDPR makes clear, what is legitimate should turn at least in part on whether a legitimate interest is served due to the relationship between the controller and subject".[2] (Privacy International)

"The tracking industry has misused legitimate interest for years".[3] (Johnny Ryan, former Chief Privacy Officer, Brave)

"We have created a messy and frightening marketplace built on the collection and use of personal information that scares the daylights out of a lot of people because they don’t understand it and cannot control it. We’ve built it in a way that requires a doctorate in engineering to understand. Governments have rightly stepped in to attempt to offer fixes, but their laws also are difficult to comprehend, by consumers and businesses alike".[4] (Randall Rothenberg, CEO, IAB)

This prior and continuing improper use, however, does not foreclose the rights of current and future data controllers to avail themselves of the different legal bases available to them under the GDPR and the e-privacy Directive (and eventually the e-privacy Regulation), as applicable to their circumstances.

The following quote from Eduardo Ustaran at Hogan Lovells speaks to the promise of lawful Legitimate Interests-based data innovation and protection:

"I personally think that after so many years of flawed cookie consent, it is a productive thing to do to introduce another approach into the legislative debate. My view is that ‘legitimate interests’ is misunderstood and underrated as a regulatory mechanism to protect our privacy".[5]

The EDPB, by citing the Rigas decision of the European Court of Justice, has previously noted that the Legitimate Interests legal basis[6] requires a controller to satisfy three conditions:[7]

  • Legitimate Purpose: the identification and qualification of a legitimate purpose pursued by the controller or by a third party. This interest of the controller or third party may be broader than the purpose of the processing but must be present at the processing date.[8]
  • Necessity: the need to process the personal data must be established as a requirement for the legitimate interest pursued.[9]
  • Balancing of Interests: the legitimate interest of the controller or third party must be balanced against the interests or fundamental rights and freedoms of the data subject, including the data subject's rights to data protection and privacy, considering the particular circumstances of the processing.[10]

If a proposed data use satisfies both the Purpose and Necessity tests, then the Balancing of Interests test must be applied to assess the impact of the intended processing on the interests or fundamental rights and freedoms of data subjects. In performing the assessment of relevant “impact”, the Article 29 Working Party has stated:

"The Working Party emphasises that it is crucial to understand that relevant 'impact' is a much broader concept than harm or damage to one or more specific data subjects. 'Impact' as used in this Opinion covers any possible (potential or actual) consequences of the data processing. For the sake of clarity, we also emphasise that the concept is unrelated to the notion of data breach and is much broader than impacts that may result from a data breach. Instead, the notion of impact, as used here, encompasses the various ways in which an individual may be affected - positively or negatively - by the processing of his or her personal data".[11]

Properly implemented GDPR-compliant pseudonymisation is a recognized means of “tipping the balance in favour of Legitimate Interests processing”[12] to enable lawful and trusted processing leveraging complex data analysis, AI, or ML.

The following graphic and accompanying narrative highlight the differences in the suitability of contract, consent, anonymisation and GDPR pseudonymisation-enabled Legitimate Interest processing to support repurposing of data for secondary processing like analysis, AI or ML.

Number references below correspond to number references in the graphic above

Number references below correspond to number references in the graphic above

  • Examples of Intended Purposes
    • Sell a trip via a website (flight, hotel, etc.)
    • Save preferences for future bookings
    • Market analytics to offer personalized future trips via email
  • Under Contract
    • Can sell initial trip, but cannot (a) save for future bookings or (b) market for future trips
  • Under Consent
    • Can save preferences for future bookings within scope of consent only
    • Works only for lawful marketing analytics which are disclosed with specificity at time of initial data collection
  • Analysis, AI and ML is (a) secondary processing under Contract and (b) fails the requirements for advanced specificity required for Consent, and thus would require obtaining new consent or a new legal basis. [13]
  • Due to the details of the data collected and the need to retain indirect identifiers and attributes unprotected to perform desired analytics, the requirements for anonymisation under the GDPR are not satisfied.
  • GDPR-compliant pseudonymisation protects data when in use during computation for analytics, AI and ML, which helps to tip the balance in favour of processing by the data controller for lawful Legitimate Interests processing.


When properly implemented - Consent can serve as the groundwork for Legitimate Interests processing which - when properly implemented - can provide the legal basis for lawful and ethical marketing-related analytics, AI and ML.

It is important to also note that - when properly implemented - GDPR compliant Pseudonymisation is considered by many (including the EDPS) as “the most viable supplementary measure to transfer personal data to third countries not offering an equivalent level of protection” under Schrems II.[14]


[1] Article 5(3) of ePrivacy Directive at However, see Article 13(2) with respect to direct marketing using what is now commonly referred to as “soft opt-in”.

[2] Privacy International; see Final Complaint Acxiom %26 Oracle.pdf at 28.

[3] Johnny Ryan, chief policy officer at Brave; see

[4] IAB, see at 8

[5] Eduardo Ustaran - Hogan Lovells Privacy and Cybersecurity Practice Global Co-Head; see

[6] See Article 29 Working Party Opinion on the notion of legitimate interest of the data controller under Article 7 of Directive 95/46/EC, currently under revision by the EDPB (see the EDPB Work program 2021/2022 adopted on the 16 March 2021)

[7] See EDPB Recommendations 02/2021on page 3 at citing CJEU judgement of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde v Rīgas pašvaldības SIA ‘Rīgas satiksme’, Case C-13/16, ECLI:EU:C:2017:336

[8] Id, citing CJEU judgement of 11 December 2019, TK v Asociaţia de Proprietari bloc M5A-ScaraA, Case C-708/18, ECLI:EU:C:2019:1064

[9] Id.

[10] Id, citing CJEU judgment of 24 November 2011, Asociación Nacional de Establecimientos Financieros de Crédito (ASNEF) and Federación de Comercio Electrónico y Marketing Directo (FECEMD) v Administración del Estado, Cases C-468/10 and C-469/10, ECLI:EU:C:2011:777, points 47 and 48; CJEU judgment of 19 October 2016, Patrick Breyer v Bundesrepublik Deutschland, Case C-582/14, ECLI:EU:C:2016:779

[11] See Article 29 Working Party 06/2014 at at 35.

[12] See pages 42 and 67 at

[13] See

[14] See at 4:00. NOTE: see Section 491 of the Belgian DPA opinion which states “Furthermore the Litigation Chamber notes that, contrary to its obligation under the principles of accountability and of data protection by design and by default, IAB Europe did not foresee any mechanism to ensure that participating publishers and CMPs have put in place adequate mechanisms for potential international transfers of the TC String, as foreseen under Articles to 44 to 49 GDPR, both at the time of its creation and when transmitting the TC String to participating adtech vendors.”

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.