But there's more
In addition, the Belgian DPA finds that neither IAB Europe nor adtech intermediaries can rely on their legitimate interest as a processing ground, because it is far outweighed by the risks to users’ fundamental rights. Finally, the Belgian DPA notes that IAB Europe has violated the principle of data security because it has failed to guarantee that adtech companies cannot simply generate “fake consent” in order to track people, as well as the principle of data protection by design because it is much harder for people to withdraw their consent than it is to give it.
The Belgian decision is momentous, because it finally puts an end to what many believed to be not just a nuisance, but manipulative and harmful. Not only has the TCF been found incompatible with the GDPR, but IAB Europe, its developer, has been found responsible for multiple infringements of key GDPR principles of lawfulness, fairness, transparency, and security.