19 March 2024
On 7 March 2024, the Court of Justice of the European Union (“CJEU”) delivered its judgment in IAB Europe v Gegevensbeschermingsautoriteit, Case C-604/22, relating to the lawfulness of a compliance mechanism for online tracking developed by Interactive Advertising Bureau Europe (“IAB Europe”).
IAB Europe is a non-profit association established in Belgium which represents undertakings (such as publishers, e-commerce and marketing undertakings and intermediaries) in the digital advertising and marketing sector at European level. Some of the companies who are members of IAB Europe generate substantial income through the sale of advertising space on websites or apps.
IAB Europe previously developed the Transparency and Consent Framework (“TCF”), which is a standard that allows users’ preferences for advertising purposes to be easily stored in a Transparency and Consent String (“TC String”). When a user consults a website or app containing advertising space, technology companies, which represent thousands of advertisers, can bid in real time, behind the scenes, to acquire that advertising space in order to display advertisements which are tailored to the user’s profile. Such real time bidding is generally performed via an automated online auction system called the OpenRTB protocol.
The TCF’s purpose is to enable legally compliant online advertising and to promote compliance with the GDPR when companies use the OpenRTB protocol via a Consent Management Platform (“CMP”) which records a user’s preferences. A CMP is an interface which appears when users first visit a website or app where they can consent to the collection and sharing of their personal data or object to the one or more ways in which adtech vendors process personal data.
Users’ preferences are then encoded and stored in a string composed of a combination of letters and characters, the TC String, which is then shared with personal data brokers and advertising platforms allowing these companies to know what the user has consented or objected to. The CMP also places a cookie (euconsent-v2) on the user’s device. In combination, the TC String and the euconsent-v2 cookie can be linked to a user’s IP address.
In February 2022, after receiving complaints from several Belgian and foreign parties about the TCF, the Belgian Data Protection Authority (the “Belgian DPA”) found that, by recording consent, objections and preferences of individual users as a unique TC String, the TC String is linked to identifiable users and thereby constitutes personal data and that IAB Europe acts as a data controller in this regard. The Belgian DPA ordered IAB Europe to adopt a series of technical and organizational measures to bring its practices into conformity with the provisions of the GDPR and imposed an administrative fine.
IAB Europe has contested this decision and has brought an action before the Belgian Market Court (a complete timeline of the domestic proceedings in Belgium is available here), which, in September 2022, referred questions to the CJEU for a preliminary ruling. The questions the CJEU were asked to consider centered on whether the TC String constitutes personal data and whether IAB Europe is a data controller within the meaning of Article 4 of the GDPR.
In its judgment, the CJEU confirmed that the TC String contains information concerning an identifiable user and therefore constitutes personal within the meaning of the GDPR. Specifically, the CJEU stated that where the information contained in a TC String is associated with additional data, such as, inter alia, the IP address of an individual user, that information may make it possible to create a profile of that user and to identify the person concerned.
Importantly, however, IAB Europe does not have direct access to the additional data such as IP addresses. That information was instead held by the members of IAB Europe. Nevertheless, the CJEU stated that the above finding could not be called into question simply because IAB Europe cannot itself combine the TC String information with additional data and does not have the ability to directly access this data processed by members of IAB Europe. Whilst IAB Europe does not have direct access to the additional data, it can obtain access on request which the CJEU has determined constitutes “reasonable means” of allowing it to identify a particular individual through a TC String. This finding, however, is subject to further verifications to be carried out by the Belgian Market Court meaning that it will be for the Belgian court to determine whether IAB Europe, in fact, has such reasonable means of accessing the additional data in practice.
The CJEU further found that IAB Europe must be regarded as a “joint controller” as it appears to exert influence over data processing operations when the consent preferences of users are recorded in a TC String, and appears to determine, jointly with its members, both the purposes of those operations and the means behind them. The CJEU did note, however, that the existence of joint controllership does not necessarily imply equal responsibility of the various operations engaged in the processing of personal data and that the level of responsibility of each joint controller in each processing phase must be assessed in light of all the relevant circumstances of the particular case.
IAB Europe cannot be, however, regarded as a controller in respect of data processing operations occurring after the consent preferences of users are recorded in a TC String, unless it can be established that IAB Europe has exerted an influence over the determination of the purposes and means of those subsequent operations. In this regard, the CJEU again noted that it is for the Belgian court to ascertain, in fact, whether IAB Europe participates in the determination of the purposes of the subsequent operations in light of all the relevant circumstances of the case.
The Belgian Market Court will now resume its examination of IAB Europe’s substantive arguments in respect of the February 2022 Belgian DPA decision in line with the answers given by the CJEU. This will likely include conducting a factual analysis as to whether IAB Europe has access to the additional data referred to above in respect of the TC String as well as whether IAB Europe engages in or exerts influence over the data processing operations which occur after the consent preferences of users are recorded in a TC String.
Whilst answers were awaited from the CJEU, the execution and full implementation of the Belgian DPA’s original decision had also been suspended meaning that IAB Europe is not required to implement its action plan in respect of changes to the TCF based on the Belgian DPA’s interpretation of the GDPR at this stage. Pending the conclusion of the domestic proceedings, this suspension will remain in place. Nevertheless, IAB Europe had previously moved forward with certain changes to the TCF, as well as additional measures to extend the compliance functionality of the TCF, with the introduction of TCF v2.2.
It is anticipated that the Belgian Market Court could deliver its final ruling within the next number of months. If the court rules against IAB Europe on the substantive issues in the case, further changes may need to be made to the TCF to ensure future compliance with the GDPR. If this happens, it may be necessary for companies to undertake a substantive re-papering exercise to amend their privacy policies, cookie banners and, potentially, their commercial contracts.
We will continue to monitor developments in this matter.
Our Data Protection and Privacy Team, as well as our KPMG Managed Solutions Team, can advise companies on all aspects of adtech compliance and any necessary re-papering exercises. Please contact a member of the team for more information.