SypherPrivacyTalks - May 2025 - Week 21
by Sypher | Published in News - May 19, 2025
Welcome to #SypherPrivacyTalks — Your news and article roundup. Bringing you the top privacy & compliance stories of the week.
Belgian Market Court rules in the IAB Europe case
dataprotectionauthority.be • 7 min read
⚖️ The Market Court in Belgium issued a ruling regarding a case against IAB Europe. The court maintained the previous fine of €250,000 imposed on IAB Europe by the Belgian Data Protection Authority and reconfirmed the classification of the Transparency and Consent String (TC String) as personal data. This implies the need to comply with the GDPR when using such data.
The ruling also stated that IAB Europe acts as a joint controller specifically for processing user preferences under the Transparency & Consent Framework (TCF), and not beyond it.
Read more:
IAB’s official comment on the ruling. Further analysis in Heise. The announcement by the Belgian DPA.
Implications:
The confirmation that the TC String is considered personal data means that advertisers must ensure compliance with GDPR regulations when using such data for targeting and personalisation. This may require additional measures to obtain user consent and manage preferences effectively within the TCF.
Additionally, the clarification regarding IAB Europe's role as a joint data controller could lead to a more structured approach to data governance in the advertising ecosystem. Advertisers might need to reassess their data-sharing practices and collaborations with organisations like IAB Europe to ensure they align with regulatory expectations.
Moreover, the ruling emphasises the importance of transparency and accountability in data processing activities, prompting advertisers to prioritise user privacy and consent management in their strategies. Overall, this could lead to changes in how personalised advertising is conducted, potentially increasing operational costs and necessitating more robust compliance frameworks.
NOYB sends Meta 'cease and desist' letter over AI training. European Class Action as potential next step
🚨According to NOYB, Meta intends to use the personal data of Instagram and Facebook users to train its AI systems from 27 May onwards. The company will cite 'legitimate interest' as the basis for this processing, rather than obtaining explicit opt-in consent. In response, the non-profit group NOYB has sent Meta a cease and desist letter under the new EU Collective Redress Directive, which allows for EU-wide injunctions.
If the legal action is successful, Meta could face significant damages, potentially amounting to billions, due to its reliance on an opt-out system for data usage… read more
5.000 EUR fine for accounting and auditing firm in Romania
💶 The Romanian firm Accounting & Audit Consulting SRL has been fined €5,000 for a GDPR violation after unauthorized individuals illegally accessed the personal data of its clients' employees.
The National Authority for the Supervision of Personal Data Processing (ANSPDCP) determined that the firm had failed to implement adequate security measures to safeguard this data. The firm has paid the fine and must now regularly review its data protection procedures and train its staff on the associated risks… read more (article in Romanian).
20,000 fine for real estate agency in Spain for taking photos of residents' mailboxes during visits
💶 A Spanish real estate agency instructed its agents to photograph residents’ mailboxes in order to create a contact database, all without obtaining consent. One agent refused, was fired, and reported the practice. Spain’s data protection authority investigated and found that the data collection was illegal and non-transparent under GDPR Article 14. The company was fined €20,000…read more
US: Data broker protection rule quietly withdrawn by CFPB
malwarebytes.com/blog • 3 min read
😱 The US Consumer Financial Protection Bureau (CFPB) has scrapped plans for a 2024 rule that would have required data brokerage firms to adhere to the standards of the Fair Credit Reporting Act and obtain explicit consent before selling Americans' personal information. This leaves consumers without the additional protections that the proposal had promised… read more
--
Get connected with us on LinkedIn or by subscribing to our weekly newsletter. We do our best to select the most interesting and relevant content in our field and deliver it to you in a bite-sized format, so you can stay up to date on topics such as Privacy Management & Compliance.
