On 7 March 2024, the Court of Justice of the European Union issued a ruling (C-604/22 | IAB Europe) clarifying the concepts of personal data and controller in the context of the use of a Transparency and Consent Framework (TCF) by the online advertising industry.
The development of user profiling technologies in the online advertising sector raises questions about personal data. One of these practices, Real Time Bidding (RTB), enables companies to bid in real time for advertising space personalised according to user profiles. These bids are based on the collection of users' personal data, such as location, age, search history and recent purchases, in order to deliver targeted advertising corresponding to their interests. However, this practice requires the prior consent of users in accordance with the General Data Protection Regulation (GDPR).
In this case, IAB Europe, which represents the interests of Belgian advertising companies at European level, had developed a TCF for use by companies in the advertising sector with the aim of ensuring compliance with the GDPR for RTB systems implemented by these companies. This solution involved the use of a consent string, called the Transparency and Consent String (TC String), which stores user preferences in encrypted form. Once the user's consent or refusal has been collected, this string is shared with the brokers and advertising platforms involved in RTB. At the same time, a cookie is placed on the user's device, enabling the TC String to be linked to the user's IP address.
In 2022, the Belgian Data Protection Authority condemned the IAB association for the failure of the TCF developed to comply with the GDPR, resulting in the unlawful processing of personal data. The association appealed against this decision, and on this occasion the Belgian Court of Appeal referred two questions to the Court of Justice of the European Union (CJEU) for a preliminary ruling. On the one hand, the Court of Justice was asked to determine whether a TC String constituted personal data and, on the other, whether the IAB should be classified as a data controller.
- The TC String can be classified as personal data.
The Court answered the first question in the affirmative, holding that the TC String contains information that makes it possible to identify a user within the meaning of Article 4 of the GDPR. The Court's analysis shows that, although a TC string does not allow a data subject to be identified directly, it does contain information relating to that person, such as his or her preferences. When combined with an identifier such as an IP address, a TC String may make it possible to identify a person.
On this point, the Court of Justice states that the fact that the IAB does not have access to users' personal data or cannot combine the TC String with a user's IP address is irrelevant in so far as its members are required to communicate to it information enabling it to identify users. In those circumstances, the Court of Justice considers that IAB Europe has reasonable means of identifying a person on the basis of the TC String. Accordingly, a TC String is considered to be personal data if it can reasonably be associated with other data such as the user's IP address, thereby enabling the user to be identified.
- An association enacting a GDPR compliance framework for companies in the online advertising sector can be qualified as a joint data controller.
The second part of the decision focused on the question whether the fact that IAB Europe provides its members with a framework setting out technical rules relating to the methods of storing and disseminating users' personal data meant that the association could be regarded as a joint controller.
In order to answer this question, the Court states that it is necessary to assess whether that association influences the processing of personal data and determines jointly with its members the purposes and methods of that processing. In this case, IAB Europe, through the TCF solution it has put in place, is proposing ‘a framework of rules designed to ensure compliance with the GDPR of the processing of the personal data of a user of a website or application carried out by certain operators involved in the online auction of advertising space’. Members of the association are also required to adhere to this framework in order to join the association.
The framework also includes binding technical rules and detailed specifications on the collection of user preferences and the content, storage and delivery of TC Strings. Finally, IAB Europe has a certain power of sanction insofar as it can adopt decisions of non-compliance against its members who do not respect these rules, which can lead to the exclusion of the member, thus reinforcing its influence on the process. Consequently, and subject to the verifications that will have to be carried out by the referring court, the IAB Europe association can be considered a joint controller, even though it does not have direct access to the personal data processed by its members.
The second part of the question focuses on the extent of that association's liability for further processing carried out by its members. In other words, even if IAB Europe is involved in determining the purposes and methods of initial data processing, does this mean that it is automatically responsible for subsequent processing carried out by other entities, such as website or application providers? On this point, the Court answers in the negative, since it considers that the joint liability of the organisation does not automatically extend to data processing carried out subsequently, which therefore limits the association's liability.
The Court's broad interpretation of the concept of data controller is not without consequences for the standardisation practice that associations such as the IAB are attempting to adopt. The primary aim of the framework developed by the IAB is to help companies in the online advertising sector to adopt GDPR-compliant practices that ensure a high level of protection for users' personal data. Considering that these players can take on the role of data controller insofar as they exert an influence on the processing of their members‘ personal data is tantamount to burdening them with a responsibility that may act as a brake on the development of this type of activity, to the detriment of the protection of users’ personal data.
For the time being, the industry players involved in the development of TCF need to bring their practices into line with the implications of this decision. From now on, they will have to specify in the consent banner presented to users that the TC string is personal data covered by consent and that the company providing the TCF model is a joint controller with the provider of the website concerned.
[View source.]
