The questions concern IAB Europe's status as a (joint) controller, and whether the "TC String" can be considered personal data.
The Belgian Market Court has decided to refer preliminary questions to the Court of Justice of the European Union in the appeal that IAB Europe had filed against decision 21/2022 of the Belgian Data Protection Authority.
The Belgian Data Protection Authority decision established, among other things, that IAB Europe was responsible for the processing of personal data under the Transparency and Consent Framework. The TCF facilitates the management of users' preferences for online personalised advertising. As such, the Belgian Data Protection Authority had found that IAB Europe could be held responsible for violations of the GDPR. It also imposed an administrative fine of EUR 250,000 on IAB Europe.
IAB Europe had appealed the decision before the Market Court (part of the Court of Appeal). Before ruling on the case, the Market Court has decided to refer a series of preliminary questions to the Court of Justice of the European Union.
The questions concern IAB Europe's status as a (joint) controller, and whether the "TC String" (a string of numeric characters reflecting users' preferences) can be considered personal data.
The Belgian Data Protection Authority will now further analyse the Market Court's ruling before making further comment. However, it welcomes the fact that the CJEU will further clarify key concepts of the GDPR such as the definition of the concept of data controller, and its applicability to framework designers.
It says that its decision in the IAB Europe case has made an important contribution to the protection of Internet users' privacy in Europe, through its analysis of the mechanism for recording users' preferences for targeted online advertising. It will raise awareness about online advertising, and especially about the mechanism behind the consent to receive targeted advertising. Finally, the decision was an opportunity to exchange best practices and knowledge between the different European authorities, and thus showed the importance, and the efficiency, of collaboration at the European level.
The Belgian Data Protection Authority says that it will discuss possible next steps with its EU counterparts.