22 April, 2024
On last 7 March 2024 the Court of Justice of the European Union (“CJEU”) delivered its much-awaited decision in Case C-604/22 involving IAB Europe and the Belgian Data Protection Authority. IAB Europe, a Belgian non-profit association formed by entities such as publishers, e-commerce platforms and other related intermediaries within the adtech industry, drawn up the Transparency and Consent Framework (“TCF”), a framework of rules aimed, inter alia, to promote compliance with both the ePrivacy Directive and the GDPR.
Members of IAB Europe are using the TCF when personal data of a user of a website or application need to be processed within the context of an automated online auction system of user profiles for the purpose of selling and purchasing advertising space. Generally, before any user is targeted with a personalized ad, such user should have priorly consented to the processing of his/her personal data for such purposes. This explains why most of the website or App operators are currently using consent management platforms (“CMP”) to request the user’s consent for certain pre-defined purposes, including for analytics and marketing and also, in most cases, to enable a communication of the user’s personal data to third providers, usually for advertising purposes.
The user’s preferences are subsequently encoded and stored in a string known as the Transparency and Consent String (‘TC String’), which is shared with personal data brokers and advertising platforms, who will be able to know to what the user has consented by means of a cookie (euconsent-v2) which, combined with the TC String, will be linked to the user’s IP address.
In February 2022 the Belgian DPA issued a decision founding, inter alia, that IAB Europe was acting as personal data controller as regards the recording of the consent signal, objections and preferences of individual users by means of the TC String. The Belgian regulator fined and ordered IAB Europe to bring into conformity with the GDPR the processing of personal data carried out in the context of the TCF.
The non-profit association immediately opposed to such decision and brought an action before the Brussels Court of Appeal. Amongst its allegations, IAB Europe argued that only the other participants in the TCF could combine the TC String with the user’s IP address to convert it into an item of personal data, as well as that it does not have the possibility to access the data processed by its members.
Within such proceedings, the Brussels Court of Appeal raised, inter alia, the following main questions to the CJEU:
1. A character string that captures the preferences of an internet user in connection with the processing of his or her personal data constitutes personal data in respect of (i) IAB Europe and (ii) the parties that have implemented the TC String on their websites and apps?
2. IAB Europe must be classified as a controller if it offers its members a standard for managing consent which contains, in addition to a binding technical framework, rules setting out in detail how those consent data – which constitute personal data – must be stored and disseminated?
3. The answer to the question above leads to a different conclusion if IAB Europe does not itself have legal access to the personal data that are processed within that standard by its members?
As to the first question and after recalling that the aim of the EU legislature was to assign a wide scope to the concept of personal data, the Court indicates that personal data “potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinion and assessments, provided that it “relates to” the data subject.” Given that the information contained in a TC String is associated with the internet user’s IP address, such information may allow the creation of a profile of that specific user. Therefore, the CJEU concludes that TC String can constitute personal data.
Secondly, the ruling also concludes that IAB Europe acts as joint controller if it can be assumed that IAB Europe exerts influence over the personal data processing operations for its own purposes, and determines, as a result, jointly with its members, the purposes of such operations. The CJEU expressly indicates that the referring court should carry out the pertinent verifications to determine whether IAB exerts such influence or not.
Nevertheless, when pointing out, inter alia, that the TCF constitutes a framework of rules which the members of IAB Europe are supposed to accept in order to join such association, the CJEU certainly paves the way for the Brussels Court of Appeal to determine that such influence certainly exists. Unsurprisingly, the ruling also determines that the fact that IAB Europe does not itself have direct access to the personal data processed by its members under those rules does not preclude it from holding the status of joint controller for the purpose of those provisions.
Interestingly, the CJEU makes a clear distinction between the processing of personal data related with the recording of users’ consent preferences on the one hand, and the subsequent processing of personal data by TCF participants or third parties such as publishers or adtech vendors, carried out once the TC String has been generated. The CJEU points out that, in principle, IAB Europe should not assume automatic responsibility in relation with such subsequent processing.
Taking into consideration that the CJEU has found that the TC String can constitute personal data and that IAB Europe, within the context above indicated, would be acting as joint data controller, it seems clear to us that IAB Europe will need to implement all the remediation actions envisaged under the action plan filed before the Belgian Data Protection Authority, which was suspended on 15 March 2023 to await the CJEU’s response.