On 7 March 2024, the European Court of Justice (the ECJ) published an important decision in relation to IAB Europe’s Transparency and Consent Framework (the TCF).

The judgment of the ECJ is unsurprising given previous case law on the definitions of “personal data” and “controller” under the GDPR and the ECJ’s emphasis that the overarching objective of the GDPR is to “[ensure] a high level of protection of the fundamental rights and freedoms of natural persons”.

Background

The TCF is a consent framework relied upon by many organisations that participate in the online advertising ecosystem looking to achieve compliance with the General Data Protection Regulation (GDPR) and ePrivacy Directive. It was developed by IAB Europe, an industry body representing undertakings in the digital advertising and marketing sector and under it users can give their consent preferences via a consent management platform, which creates a digital record of such preferences (the TC String) which is shared with advertising vendors.

The Belgian Data Protection Authority (DPA) had received a number of complaints that the TCF was not compliant with the GDPR.  In February 2022, the Belgian DPA found that IAB Europe acted as controller, that the TC String constituted personal data, and that IAB Europe had not complied with various obligations under the GDPR.  The Belgian DPA’s decision related to IAB Europe’s compliance, but will also have implications on the future of the TCF and whether participants can use it to obtain valid consent. 

IAB Europe appealed the decision, resulting in the Belgian Court of Appeal referring questions to the ECJ on whether the TC String constituted personal data and whether IAB Europe acted as joint controller.  It will now be for the Belgian Court of Appeal to determine the impact of this ECJ’s ruling on IAB Europe’s appeal against the Belgian DPA’s findings against IAB Europe and the TCF.

Key findings of the ECJ

  1. The consent string constitutes personal data:
    • Citing various case law, the ECJ emphasised that:
      • the definition of “personal data” covers data related to an “identifiable” person;
      • when determining whether a person is identifiable, account should be taken of “all the means reasonably likely to be used…either by the controller or by another person to identify the natural person directly or indirectly”; and
      • this means that the information required to enable identification does not all have to be in the hands of one person.
    • As the TC string contains the preferences of an internet user’s consent, it is information that “relates to a natural person” within the meaning of Art 4(1).
    • Furthermore, where information contained in a TC String is associated with an identifier, such as an IP address, that information can make it possible to identify the person concerned. Where this is the case, it must be considered that the TC String contains personal data of an identifiable user and therefore constitutes personal data.
    • If requested by IAB Europe, IAB Europe members are required to provide IAB Europe with information that allows users whose data are the subject of a TC String to be identified. This means that IAB Europe appears to have “reasonable means” allowing it to identify a particular natural person. It follows from this that the TC String is personal data. This analysis is not affected by the fact that IAB Europe itself cannot combine the TC String with the IP address and does not have the means of directly accessing the IP address from its members.
  2. IAB Europe acts as a joint controller in relation to the data processing connected to the collection of preferences in the TC String in accordance with the TCF:
    • The ECJ, citing the GDPR itself and relevant case law, notes that the definition of “controller” is broad.
    • The ECJ reminded us that. in a joint controller arrangement, whilst each joint controller must independently meet the definition of controller (i.e. must determine the means and purpose of the processing), the joint controllers do not need to have equal responsibility. On the contrary, joint controllers can be involved in different stages of the processing and to different degrees; such participation can be converging and does not have to involve a common decision.
    • It is also not necessary for each of them to have access to the personal data concerned, as established by previous case law.
    • Applying this to IAB Europe, the ECJ ruled that IAB Europe should be regarded as exerting influence over certain data processing activities connected to the TCF for its own purposes and determining, jointly with the members, the means behind such operations. This is because:
      • IAB Europe established the TCF framework with a view to promoting and enabling the operation of online advertising auction in the context of the GDPR, which the ECJ views as them determining, jointly with the members, the purpose of the data processing operations; and
      • IAB Europe determined the various rules relating to storage and dissemination of the TC String that its members must comply with in order to participate and can suspend members that do not comply with the requirements. This, according to the ECJ, supports that view that IAB Europe, jointly with the members, determine the means of the processing.

Accordingly, subject to the Belgian referring court verifying the underlying facts, the ECJ found that IAB Europe must be regarded as a joint controller of processing connected to the recording of the consent preference in the TC String in accordance with the TCF rules. The fact that IAB Europe does not have direct access to the personal data in question does not impact this analysis.

3. The above joint controller analysis does not necessarily extend to the subsequent use of this data by IAB Members.

  • The above analysis does not automatically extend to the subsequently processing of the TC String personal data for the purposes of targeted online advertising (e.g. the transmission of the data to third parties or the actual offering of personalised advertising). It would only be regarded as a joint controller of such subsequent processing if it has actually “exerted an influence over the determination of the purpose and means of that processing”. Whether this is the case would be for the referring Belgian court to ascertain in the context of the main proceedings.

Our take

The ECJ’s interpretation of “personal data” was unsurprising and confirmed the broad interpretation applied in previous case law.  On the other hand, the conclusion that a party that simply sets standards and cannot directly access the data being processed is a controller may appear, at first glance, to be an extension of the GDPR’s scope.  However, as the ECJ set out, previous case law had already established that all joint controllers need not have access to the data.  Nevertheless, the ECJ’s broad interpretation in this case could also impact other organisations, including other “sectoral organisation” that set standards.

The Belgian court will now take into account the ECJ’s findings when it resumes its examination of IAB Europe’s arguments in its appeal against the Belgian DPA’s decision. This decision of the court will ultimately determine the future of the TCF. In the meantime, IAB Europe says that it welcomes the decision as it provides “well-needed clarity over the concepts of personal data and (joint) controllership” and notes that it will be posting more “in-depth commentary” on the ruling and its consequences shortly.

In the meantime, organisations that use TCF should ensure that they comply with the most up-to-date version of the TCF, continue to monitor developments and be prepared to adjust, which given the proposed phase-out of third party cookies may ultimately be necessary in any event.