Latest Posts
Search for:
In EU GDPR

IAB Europe CJEU decision: key takeaways and impact for the AdTech industry

by , , , , and 12 Mins Read

1. Background of the case and proceedings in Belgium

(a) IAB Europe and real-time bidding in a nutshell

The CJEU ruling concerns the Transparency and Consent Framework (“TCF”) that was launched by Interactive Advertising Bureau Europe (“IAB Europe”), a European-level association for the digital marketing and advertising ecosystem.

The TCF specifically targets the real-time bidding industry, which is active in the provision of online, automated and instantaneous auctions for the sale and purchase of online advertising spaces for advertisements that are specifically personalised to each internet user who is to receive the advertisement (so-called “targeted advertisements”).

To facilitate compliance of the real-time bidding industry with the GDPR and cookie consent requirements stemming from the ePrivacy Directive (2002/58), IAB Europe developed the TCF as a voluntary standard consisting of guidelines, instructions, technical specifications, protocols and contractual obligations, which enable companies to obtain user consent in a standardized and efficient manner.

Typical participants to the TCF include websites or app providers, advertising platforms and data brokers and can be broken down into three types of stakeholders:

  • Publishers (i.e., operators of online content or services where personal data is collected and processed by vendors providing online personalised advertising, audience measurement and similar services);
  • Vendors (i.e., ad servers, measurement providers, advertising agencies, DSPs, SSPs, etc.); and
  • Consent management platforms (“CMPs”) service providers (providers of tools such as cookie banners to inform users and collect their preferences with respect to the processing of their personal data, notably through cookies and other online tackers).

Whenever internet users consult for the first time a website or application containing advertising space, a CMP appears allowing users to consent or to object to different types of processing activities concerning their personal data for different purposes, such as marketing and advertising. The added value of the TCF in this context is to facilitate the recording of users’ preferences through the CMP.  These user preferences are subsequently coded and stored in a so-called “TC String”, which is a string composed of a combination of letters and characters. This TC String is then shared with participating real-time bidding organisations so that they know to what users consented or objected so as to ensure compliance with the GDPR and the ePrivacy Directive. The CMP also places a cookie (euconsent-v2) on the user’s device which, combined with the TC String, can be linked to that user’s IP address.

(b) Proceedings against IAB Europe

Following complaints received as early as 2019, the Belgian Data Protection Authority (DPA) issued a decision on the TCF on February 2, 2022, concluding a lengthy investigation and process in which the Belgian DPA collaborated with the supervisory authorities of 27 other Member States. The Belgian DPA found that the TCF processed personal data via the TC String, that IAB Europe acted as a data controller, and that as a result, IAB Europe had committed several breaches of the GDPR: it processed the personal data without a valid legal basis, in breach of the principle of transparency, with insufficient technical and organizational measures, and did not conduct a Data Protection Impact Assessment or appoint a Data Protection Officer. Consequently, the Belgian DPA fined IAB Europe €250,000 (the second highest fine ever imposed by the DPA) and ordered it to submit an “action plan” within two months.  

IAB Europe appealed the Belgian DPA’s decision to the Belgian Market Court (Brussels Court of Appeal), which referred preliminary questions to the CJEU to clarify (i) whether IAB Europe should be considered a (joint) controller and (ii) whether the TC String should constitute personal data.

Notwithstanding the appeal, two months after the Belgian SA’s decision, IAB Europe submitted its action plan to restore compliance. This plan was formally approved by the Belgian SA on January 13, 2023, while the referral for a preliminary ruling was still pending before the CJEU. IAB Europe successfully obtained a suspension of the implementation of the action plan as an interim measure before the Belgian Market Court. In parallel, IAB Europe proceeded to voluntarily introduce some of the changes foreseen in its action plan with the launch of a new version (v2.2) of the TCF in May 2023, which had to be adopted by TCF participants by the end of 2023.

On March 7, 2024, the CJEU finally delivered its ruling. As it is a preliminary ruling, it is limited to an interpretation of EU law with regard to the specific questions referred to the CJEU and does not address the factual circumstances of the case. The interpretation given by the CJEU, which is in line with the position of the Belgian DPA, is binding on the Belgian Market Court (and all other EU courts). However, this alignment does not necessarily mean that the original decision of the Belgian DPA will be upheld. The Market Court will have to apply the CJEU’s interpretation to the specific facts of the case and rule on the merits of the case. The IAB Europe saga may then not necessarily end, as the Market Court’s decision could still potentially be challenged before the Belgian Court of Cassation – although unlikely.

2. Deep dive into the CJEU decision

(a) What are the clarifications provided by the CJEU?

CJEU confirms that the TC String constitutes personal data

The first question referred to the CJEU related to the qualification of the TC String as personal data. This question was obviously crucial for the case: if the data processed by IAB Europe could not be considered personal data, there would be no case against IAB Europe under the GDPR.

With no surprise the Belgian DPA asserted its jurisdiction by arguing that the TC String is personal data. On the contrary, IAB Europe argued against the qualification of “personal data” because it could not itself combine the TC String with the users’ IP address and that it does not have direct access to such personal data.

The CJEU aligned its position with that of the Belgian DPA, ruling that the combination of letters and characters constituting the TC String is personal data because the TC String contains the user’s preferences and that such preferences allow to identify indirectly the user with additional data.

The CJEU rationale is the following:

  • The concept of personal data covers indirect identification of a data subject, as already confirmed by the CJEU in other cases[1]. This means that information is deemed personal data even if additional information is needed to attribute personal data to a physical person. This applies to the case at hand since the TC String gives information of the user’s preference but does not allow for direct identification of the user.
  • In addition, as in the previous mentioned cases[2] , the CJEU stresses out that information enabling the identification of the data subject may be in the hands of several persons. Thus, it is not relevant that IAB Europe cannot directly access additional information nor combine the TC String with such additional information. Ultimately, the circumstance that identifying information is held by different persons does not prevent the qualification of personal data. This applies to the case at hand since the TC String needs to be associated with an identifier that is not held by IAB (such as the IP address) in order to identify the user.
  • The CJEU however stresses that the Belgian Market Court must verify if IAB Europe has reasonable means of identifying the user on the basis of the preferences and additional information that its members and other organisations participating in the TCF are required to provide (see by reference with GDPR recital 26).

The CJEU therefore clarifies that personal data includes all information resulting from the TC String processing, including those that indirectly identify the user. This confirms the CJEU’s broad interpretation of the concept of “personal data”. Qualification of the TC String as personal data impacts both IAB Europe and its members. Since they process such personal data, they are subject to GDPR obligations and must apply them accordingly.

CJEU clarifies limited role of IAB Europe in TCF

The second question referred to the CJEU concerned the role of IAB Europe (controller, joint controller). The CJEU recalls that joint controllership covers an entity which ‘alone or jointly with others’ determines the purposes and means of the processing of personal data (GDPR Article 4(7)), which does not imply equal responsibility for the processing, nor that joint controllers have access to the personal data concerned[3].

The CJEU clarifies the IAB Europe’s processing role and assesses which of the following processing activities are involved: (1) the processing of personal data carried out by TCF participants (e.g., website or app providers, advertising platforms, data brokers) when the consent preferences of the users concerned are recorded in a TC String, and (2) the subsequent processing of personal data carried out by the participants on the basis of those preferences, such as the offering of personalized advertising to users. It concludes thereof, in terms of controllership that:

  • Members of IAB Europe, e.g., website or app providers, data brokers or advertising platforms, are joint controllers for the recording of the users’ preferences in the TC String in accordance with the TCF.
  • IAB Europe is a joint controller only for the processing of personal data carried out when the consent preferences of the users concerned are recorded in a TC String in accordance with the TCF. However, the CJEU rules that IAB Europe has no influence on subsequent processing operations.
  • Members of IAB Europe are controllers for the subsequent processing of personal data on the basis of those preferences, such as the transmission of those data to third parties or the offering of personalised advertising to users.

The CJEU rationale is the following:

  1. Controllership does not depend on whether an entity holds all information that identifies a natural person but rather on the reasonable means available to the data controller to identify that person: It does not matter that IAB Europe holds or not, or (directly) accesses or not all information identifying a person.
  1. Joint controllership does not mean equal responsibility: Data controllers may be involved at different stages of the processing of personal data and are therefore not legally responsible in equal measure. The CJEU directly echoes its earlier case law[4], also cited in the EDPB guidelines on the concepts of controller and processor[5].
  1. The “influence” criterion for qualification of controllership gains momentum:  According to the CJEU, IAB Europe’s decisive influence is characterized by the fact that it has proposed to its members a framework of rules relating to the processing of personal data, which contains binding technical rules and rules setting out in detail the arrangements for storing and disseminating personal data. This same criterion excludes IAB Europe’s controllership for subsequent processing, i.e., when data is no longer stored in the TC String in accordance with the TCF established by IAB Europe but disclosed to third parties. The “influence” criterion is also used in the EDPB guidelines on the concepts of controller and processor by referring to the decision-making power. The key point of this criterion is that all relevant factual circumstances must be considered to determine whether a particular entity has a decisive influence on the processing of personal data.

(b) Allocation of controllership on personal data between the various tech players – the next challenges

Now that the roles and GDPR qualifications are clarified, practical challenges arise:

  • How can AdTech professionals fulfill their GDPR transparency obligations (GDPR Articles 13 and 14)?

The GDPR requires data subjects to be informed of the controller’s identity (including joint controller’s identity). This means that the website or app user should be aware before setting his or her preferences which entities are (joint) controllers and for which processing activities. Such information will have to appear on consent  wording and on related privacy policies and take into account the specific guidelines from local data protection authorities on cookies and transparency.

However, the GDPR also requires that controllers present information in a clear and understandable manner. Therefore, publishers and AdTech vendors will have to tackle the challenge of providing more details and maintaining quality of the information provided.

  • How should joint data controllers fulfill the obligations of the GDPR ?

The GDPR requires joint controllers to determine their respective obligations in an agreement to allocate the obligations of the GDPR and notably the proper management of the exercise of the data subject’s rights. This means that website or app providers, data brokers or advertising platforms should enter into a contract with IAB Europe that defines their role and responsibility for the recording of uses’ preference in the TC String (but not for the subsequent processing activities, which according to the CJEU are carried out by the members of IAB Europe as independent controllers). It is likely that IAB Europe will produce a template agreement.

Following the preliminary ruling from the CJEU, the case has now been returned to the Belgian Market Court. IAB Europe stated that it welcomes the CJEU ruling as it clarifies its limited role. IAB Europe also stated that it will soon provide a comprehensive commentary on the ruling and its implications. The next steps are quite limited: the Belgian Market Court has to apply the CJEU’s ruling to the specifics of the case and a challenge may be still lodged with the Belgian Court of Cassation. We will continue to provide updates on this important case.

[1] See judgements of the Court of Justice, 10 October 2016, Breyer, C-582/14 and of 22 June 2023, Pankki S, C-579/21.

[2] Ibid.

[3] See judgments, 10 July 2028, Jehovan todistajat, C-25/17 and 5 June 2018, Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16.

[4] Ibid.

[5] See Guidelines 07/2020 on the concepts of controller and processor in the GDPR.

Categories:
Tags:
Author

Magalie Dansac Le Clerc is a partner in Baker McKenzie's Paris office. A member of the Firm's Information Technology and Communications Practice Group, she is a Certified Information Privacy Professional (CIPP).

Author

Elisabeth is a partner in Baker McKenzie's Brussels office. She advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Juliette is a member of the Information Technology and Communications team and focuses on new technologies, computer technology, internet and telecommunications.

Author

Caroline Serbanescu is an Associate at the Brussels office of Baker McKenzie.

Author

Quentin Fontaine is an associate in the IPTech Practice Group in the Brussels office. He joined Baker McKenzie in 2023. Quentin is also a scientific collaborator in digital law at UCLouvain.

Author

Juliette Gomes is a Trainee in Baker McKenzie's Paris office.

Related Posts