The IAB has a mechanism called the TCF (Transparency and Consent Framework) to manage cookie and other tracking consents. Users’ preferences are encoded and stored in a string composed of a combination of letters and characters referred to as the Transparency and Consent String (TC String), which is shared with personal data brokers and advertising platforms so that they know what the user has consented or objected to. A cookie is also placed on the user’s device. When they are combined, the TC String and the cookie can be linked to that user’s IP address.
The Belgian Market Court (Court of Appeal) has now ruled in a case between the Belgian Data Protection Authority (DPA) and IAB Europe.
On 2 February 2022, the Belgian DPA fined the IAB €250,000 and gave it two months to submit an action plan to bring its activities into compliance. The decision was endorsed by all the concerned data protection authorities in the EU, after applying the one-stop-shop mechanism.
IAB Europe appealed the decision before the Market Court (part of the Belgian Court of Appeal). Before ruling on the case, the Market Court decided to refer two preliminary questions to the CJEU.
In its judgment, the CJEU confirmed that the TC String contains information concerning an identifiable user and therefore constitutes personal data under the GDPR. Where the information contained in a TC String is associated with an identifier, such as the IP address of the user’s device, that information may make it possible to create a profile of that user and to identify him or her. The CJEU also said that IAB Europe must be regarded as a “joint controller” under the GDPR. Subject to the verifications which are for the Belgian courts to carry out, IAB Europe appears to exert influence over data processing operations when the consent preferences of users are recorded in a TC String, and to determine, jointly with its members, both the purposes of those operations and the means behind them. However, the CJEU also said that without prejudice to any civil liability provided for under national law, IAB Europe cannot be regarded as a controller under the GDPR, in respect of data processing operations occurring after the consent preferences of users are recorded in a TC String, unless it can be established that IAB Europe has exerted an influence over the determination of the purposes and means of those subsequent operations.
Decision of the Market Court
Based on this, the Market Court ruled on the appeal against the decision of the BE DPA on TCF version 2.0, taking into account the preliminary ruling of the Court of Justice.
In its judgment, the Court confirmed the infringements established by the Belgian DPA and the penalties imposed. More specifically, the Court ruled that the TC String is personal data under the GDPR and that IAB Europe acts as joint data controller for the processing of user preferences within the TCF. It annulled the Belgian DPA’s decision 21/2022 on procedural grounds.
The IAB has welcomed the ruling. It says that the corresponding changes to the TCF to accommodate what it says is limited controllership have already been proposed as part of the action plan submitted to and validated by the Belgian DPA in 2023. It says:
- The TCF remains a best-practice standard that can help publishers and vendors comply with certain requirements in the GDPR and ePrivacy Directive.
- The Market Court’s ruling clarifies that IAB Europe is only responsible (that is, acts as a “joint controller”) for the processing of the TC String – in line with the CJEU’s ruling.
- IAB Europe is not responsible for further processing of data for digital advertising, as the 2022 decision had ruled. This is significant, as the DPA’s qualification of IAB Europe as a controller over subsequent processing was the basis on which the Belgian DPA purported to find certain legal bases facilitated by TCF to be invalid; this finding is no longer valid.
Both sides are claiming some sort of victory.
