On September 7, 2022, the Belgium Data Protection Authority (“DPA“) announced that the Belgium Market Court had issued an internal ruling (“Ruling“) on the IAB appeal, which included the referral of preliminary questions to the Court of Justice of the European Union (“CJEU“) regarding the legality of IAB’s Transparency and Consent Framework (“TCF“).
The Ruling was issued pursuant to IAB Europe’s appeal against the DPA’s decision (“DPA Decision”), which imposed an administrative fine of 250,000 EUR for the violation of the General Data Protection Regulation (“GDPR“). The DPA Decision concluded that based on the GDPR, the TC string, which includes the users’ preference, is considered “personal data”, as it is linked to an identifier such as an IP address, and that IAB Europe is the data controller of such TC Strings registration, although the IAB does not even have access or the ability to access to the TC String nor is the IAB able to associate the TC String with a unique identifier (as the TC String without the identifier is not unique per-use and the IAB claimed that solely the CMP and the AdTech Vendors are able to access the TC String and attach an identifier to it).
The impact of the DPA Decision on the online advertising and RTB ecosystem is substantial, specifically with regard to categorizing the vendors as “controllers”. Thus, the Ruling and the future CJEU ruling could have great implications on the entire chain.
The Market Court refers the following preliminary questions to the CJEU’s further assessment:
- Is the TC String, whether or not in combination with an IP address, considered personal data?
The Market Court indicated the importance of referring a detailed question in this regard to the CJEU, as follows:
- Should Article 4(1) to the GDPR, while read in conjunction with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a TC string indicating the preferences of an internet user in connection with the processing of his personal data in a structured and machine-readable manner constitutes personal data within the meaning of the provision above concerning (i) a sectoral organization such as IAB Europe that makes available to its members a standard that prescribes the practical and technical manner in which that character string must be generated, stored, or disseminated; and (ii) the parties which have implemented that standard on their websites or apps and thus have access to that character string (e.g., vendors, publishers, etc.)?
- Is there a difference if the CMPs implement the TC String together with the IP address?
- Do the answers to the abovementioned questions (a) and (b) lead to different conclusions if IAB Europe has no legal access to the personal data processed by the CMP or vendors?
- Is IAB Europe a joint data controller?
The Market Court was not certain whether IAB Europe should be qualified as a data controller for processing personal data within the TCF, and the DPA suggested referring such a question to the CJEU. According to the Market Court, although the DPA Decision that IAB Europe is a data controller is aligned with other data protection authority decisions (such as the AVG case, and decisions made by the Luxemburg DPA, all as referenced in the DPA Decision), the Market Court has not yet had the opportunity to rule on this “new and far-reaching technology”.
The Market Court referred the following questions to the CJEU:
- Should Articles 4(7) and 24(1) of the GDPR, while read in conjunction with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a standards-setting trade association such as IAB Europe must be classified as a data controller if it offers its members a standard for managing consent which, in addition to a binding technical framework, contains rules stating in detail how the consent of personal data should be stored and disseminated (meaning, do the IAB TCF Guidelines, de facto, determine the means and purpose of the processing?)?
- Does the answer to the abovementioned differ in case IAB Europe has no legal access to the personal data processed by its members using the TCF?
- In case the standard-setting sector as IAB Europe shall be qualified as a data controller or joint data controller for the processing of the internet users’ preferences, does that joint responsibility apply to the subsequent processing by third parties for which the preferences of internet users were obtained, such as targeted online advertising by publishers and vendors? The answer to this question will affect the entire ecosystem and contractual relationships between the various vendors.
BELGIAN DPA RESPONSE
The Belgium DPA stated it would further analyse the Ruling prior to detailing its precise stance, however, it is pleased with the Ruling, which will enable the clarification of crucial concepts of the GDPR, such as the definition of the concept of the data controller, and its applicability to framework designers.
IAB EUROPE RESPONSE
IAB Europe’s response welcomed the Market Court’s decision to seek guidance from the CJEU, indicating that the broad interpretation of personal data and controllership embraced by the DPA is unnecessary from a consumer point of view and has significant negative implications for the development of compliance tools under the GDPR. According to IAB Europe, the referral to the CJEU indicates the final judgment by the Market Court is unlikely to be issued until 2023 or 2024.
Please let us know if you have any further questions,
APM Technology and Regulation Team.
This document is intended to provide only a general background regarding this matter. This document should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
