A recurring theme in the feedback we are getting from the market on the Transparency & Consent Framework (TCF or “the Framework”) is that it increases the degree of legal liability that publishers bear under EU data protection rules, notably by forcing them to assume full liability for actions by third parties that are beyond their control.
In fact, nothing could be further from the truth. The TCF does not create new rules on liability, nor does it alter existing ones. Those rules are regulated by law and by contract, neither of which is affected by the Framework. The GDPR states that controllers are responsible, and therefore liable, for the processing of personal data they control. A controller is also liable for processing done on its behalf by processors under its control, unless the processor acted against the instructions of the controller.
In addition, liability is regulated through other law, such as tort law, and contract law. In many cases companies will contractually stipulate where liability lies – agreeing amongst themselves how to share it out as part of a normal commercial negotiation. Such contracts are typically concluded between publishers and their third-party partners, something that will not change under the GDPR or the TCF.
The Framework allows publishers to provide consumers transparency into the third-party partners they work with, and to obtain and transmit user consent signals to those partners. Indeed, the reason we need these signals is that third parties must comply with the GDPR’s transparency requirements and, where they are leveraging the consent legal basis, must be able to demonstrate that the user has indeed consented. These things are only possible if there is a signal.
For example, if a publisher lets a third party know that it has not provided transparency into on behalf of a third party, and has not obtained consent on behalf of a third party (maybe because the publisher doesn’t work with that third party), and that third party starts processing personal data regardless, the publisher is now able to demonstrate that it has duly informed the third party of all relevant facts allowing blame and liability to be established clearly with the third party that has engaged in unlawful processing despite better knowledge.
If anything, publishers are in a better position implementing the Framework than they were pre-GDPR. This is because thanks to the audit trail it creates in order to convey information up the delivery chain, the Framework will make it possible to detect what parties were acting without the necessary legal basis, so that liability can be correctly apportioned.