Summary of the IAB Europe’s case. From Belgian DPA to the Court of Appeal, to the Court of Justice of the European Union and back to Belgian Court of Appeal.

1. Introduction. How does the online targeted advertising & real-time-bidding system work? Who is doing what?

Advertising is essential for companies to effectively promote their products and services.

In today’s digital age, online advertising has become a cost-effective alternative to traditional media, leveraging big data and automated tools like real-time bidding systems to create highly personalized and targeted marketing campaigns.

Real-time-bidding is an automated instant online auction process for buying and selling digital ad spaces. When someone visits a website or application with ad spaces, advertisement technology companies, representing thousands of advertisers, bid in real-time to display targeted ads based on the visitor’s profile. The highest bidder wins the auction and displays on this specific ad space its personalized ad to the user.

This system operates behind the scenes on most commercial websites and mobile applications, involving thousands of companies and billions of daily ad auctions. Its measurable nature enables businesses to track ad performance in real time, optimize campaigns, and achieve better returns on investment. This is a revolution in online marketing.

The Open Real-Time-Bidding protocol (the “OpenRTB”) is one of the most widely used protocols in the ecosystem. It was created by the IAB Technology Laboratory, Inc. and the Interactive Advertising Bureau, Inc., both based in New York. OpenRTB aims to simplify the interconnection between all actors involved in this complex online marketing ecosystem.

Graphically, OpenRTB ecosystem can be presented as follows (source: BE DPA decision of 2 February 2022, p.12):

To build a visitor’s profile, companies use cookies and/or similar technologies to track online activities across websites and applications, collecting massive amounts of information about their preferences and consumption habits. This can be combined with the use of the IP address or any other unique identifier.

This complex ecosystem involves the processing of personal data requiring compliance with the GDPR¹ and the ePrivacy Directive.²

2. What is the “Transparency & Consent Framework”? Why was it created?

The Transparency and Consent Framework (“TCF”) is a standard comprising technical specifications, terms and conditions, and a set of policies designed to help companies comply with certain obligations of the GDPR and the ePrivacy Directive.

The TCF was created by the Interactive Advertising Bureau Europe (“IAB Europe”), a not-for-profit association based in Belgium, representing indirectly around 5,000 companies from the digital advertising and marketing sector at European level. Its mission is to lead political representation and promote industry collaboration to deliver frameworks, standards and industry programs that enable business to thrive in the European market.

The main purpose of the TFC are:

1. to provide users with transparency about the companies processing their personal data for advertising and/or targeted content purposes; and
2. to give users control over such processing and the purposes for which companies are processing personal data.

When users visit a website or app for the first time, a Consent Management Platform (“CMP”) appears, allowing them to consent to or object to data collection and processing. The TCF registers these preferences via the CMP, encoding them in a “TC string” – a combination of letters, numbers and other characters – which is shared with OpenRTB participants to indicate user consent or objections.

TCF is crucial in OpenRTB, reflecting user choices for personalized advertising.

3. Belgian DPA decision of 2 February 2022

In 2019, the Belgian DPA (“BE DPA”) received a series of complaints against IAB Europe questioning the compliance of their TCF with the GDPR. As the complaints involved the same entity and matter, the DPA chose to handle them, along with its own investigations, as a single case.

On 23 November 2021, given the cross-border nature of the TCF, the BE DPA, acting as the lead authority applying the “one-stop-shop mechanism”, shared its draft decision with other European data protection authorities in line with Article 60.³ of the GDPR. Twenty-seven of these authorities have expressed their intention to participate in the procedure as concerned authorities, highlighting the significance of this case. After an in-depth examination and two objections from the Netherlands and Portugal which were incorporated into a new draft, the decision was approved by all the authorities concerned. The BE DPA was pleased with the effective and cooperative collaboration.

On 2 February 20223, the BE DPA ruled that the user’s preferences contained in the “TC string” qualified as personal data essentially for the following reasons (the “BE DPA Decision”):

• Collection and Encoding: user preferences are collected via the Consent Management Platform (“CMP”), and then encoded in the “TC string” which is shared with OpenRTB participants to indicate user consent or objections. The CMP also places a cookie (euconsent-v2) on the user’s device. When combined, the TC string and the euconsent-v2 cookie can be linked to the user’s IP address, making the originator of the preferences identifiable.
• Personal data Definition: The BE DPA stated: “As long as information, by virtue of its content, purpose or effect, can be linked to an identified or identifiable natural person by any reasonably practicable means and regardless of whether the information from which the data subject can be identified is held entirely by the same controller or partly by another entity, such information must be considered personal data”⁴ (n°296 – translated).

In addition, the BE DPA ruled that IAB Europe was acting as joint data controller with the participating CMPs, Publishers and Adtech Providers with regard to the collection and dissemination of users’ preferences, objections and consent, as well as for the subsequent processing of personal data carried out on the basis of the preferences recorded in a TC string, such as personalized advertising. The main arguments were the following:

• Decisive Role: “The participating organizations, i.e. publishers and adtech providers, would not be able to achieve the objectives set by IAB Europe without TCF. The system developed by IAB Europe therefore plays a decisive role in the collection, processing and dissemination of users’ preferences, consents and objections, regardless of whether IAB Europe itself has access or not to these personal data.” (n°330 – translated)
• Purpose Determination: As stated by IAB Europe itself, they determine the purposes of the TCF which is to facilitate and manage the users’ preferences.
• Promotion and Influence: “TCF is proposed with the aim of indirectly promoting the use of OpenRTB. In this respect, IAB Europe, in its capacity as Managing Organization, acts as a real hinge between TCF and OpenRTB, which, incidentally, was developed by IAB Tech Lab.” (n° 336 – translated)
• Inventory of Purposes: In support of its position, the BE DPA “refers to the inventory of purposes that participating organizations can pursue under TCF. For example, the TCF Policies for CMP, publishers and other providers respectively stipulate a mandatory list with fixed and predefined purposes, special purposes, functionalities and special functionalities defined by IAB Europe.” (n°337 – translated by us)
• Based on the above, the BE DPA concluded that the purpose of TC String, and in the broader sense of TC String processing within TCF as described in the TCF Policies, has been established by IAB Europe.
• Essential Means of Processing: In addition, the BE DPA concluded that IAB Europe decided on the essential means of the processing of TC Stringe., IAB Europe imposes its parameters of processing through the technical specifications, they impose the acceptance of terms and conditions for the use of TCF, they determine with whom user preferences should be shared, in particular by making available a list of adtech suppliers registered with TCF, entitled Global Vendors List (GVL), as well as a list of approved CMPs (Global CMP List) and they are responsible for defining the criteria for determining the retention periods for TC Strings.
• Finally, “the role of CMPs, publishers and adtech providers shows that the decisions relating to the determination of the purposes and means of the processing activities carried out by the defendant under the TCF (aimed at bringing the processing activities carried out by the aforementioned participating organisations into compliance with the GDPR and the ePrivacy Directive) complement the decisions relating to the purposes and means of the processing activities carried out by the participating organisations under the OpenRTB and must therefore be considered convergent decisions.” (n°401 – translated)

The BE DPA held IAB Europe responsible for various GDPR infringements, such as:

1. lack of sufficiently clear and precise information regarding the nature and scope of processing of users’ personal data;
2. failure to implement organizational and technical measures ensuring data protection by design/by default; and
3. failure to keep a register of processing activities (ROPA), to appoint a data protection officer (DPO) and to conduct a data protection impact assessment (DPIA).

The BE DPA ordered IAB Europe to comply with the GDPR and imposed a fine of 250,000.00 EUR.

4. Comments: BE DPA Decision in line with previous BE & EU case law

The BE DPA Decision aligns with its previous rulings and previous decisions of the CJEU, adopting a broad interpretation of personal data and (joint) data controller.⁵ In line with the EU’s broader digital agenda, it appears that the CJEU and the DPAs aim to significantly enhance online personal data protection.

Below, decisions from the BE DPA that follow the same direction:

• A work email address without direct identifiers (e.g., reception@company.com) could still identify the data subject if they were the sole user of that email address and signed emails with their personal name.⁶
• A license plate can constitute personal data, even if it belongs to a company car. Since there was only one company car, it could be readily linked to the owner of the company, thus identifying the data subject.⁷
• Publishing a photograph or video of a data subject’s fireplace does not constitute processing personal data. The BE DPA clarified that while personal data includes any identifiable information, a video of just a smoking chimney is not personal data. However, if published with the data subject’s name and address, it would involve processing personal data.⁸
• Regarding joint controllership, the BE DPA investigated the use of a tool called ‘MeldJeAan,’ used by parents to secure school spots for their children in Antwerp. Following a data breach, the DPA assessed the role of the city of Antwerp, which was one of several parties deciding on the tool’s purpose and funding it. The DPA concluded that the city of Antwerp acted as a joint controller with other parties and held it responsible for non-compliance with the GDPR.⁹

5. Appeal & Preliminary questions to the CJEU

On 4 March 2022, IAB Europe appealed the BE DPA Decision before the Market Court (Court of Appeal of Brussels).

The Court of Appeal decided to refer two preliminary questions to the CJEU prior to resuming its examination of the merits of the case, namely:¹⁰

1. Whether the TC String constitutes personal data under the GDPR; and
2. Whether IAB Europe, a standard-setting sectoral organization that provides its members with standards for managing consent, could act as (joint) controller for the processing of TC Strings – even if itself it does not have access to processed personal data and if so, if such joint controllership automatically extends to the subsequent processing carried out by third parties.

6.  CJEU’s decision of 7 March 2024

On 7 March 2024, the CJEU issued its judgement in the IAB Europe case (the “CJEU Decision”).¹¹

First Question: TC String as Personal Data

The CJEU ruled that a string composed of a combination of letters and characters, that contains users’ preferences of regarding the processing of their personal data, such as the “TC String”, constitutes personal data where those data may, by reasonable means, be associated with an identifier (including the IP address). It recalled that for information to be treated as personal data, it is not necessary that all the information enabling the identification of a data subject are in the hands of one person. It further states that the TC string contains the individual preferences of a specific user regarding its consent to the processing of its personal data, thus it relates to a natural person.

The Court further found that combining a TC string with an identifier, such as an IP address, can effectively lead to identifying the person associated with that TC string.

Second Question: Joint Controllership

Regarding the second question, the CJEU ruled that IAB Europe can be deemed a joint controller with its members if it influences the personal data processing for its own purposes, and determines, jointly with its members, the purposes and means of such processing, which is up to the BE Court of Appeal to verify.

The CJEU reminds that a broad interpretation of the concept of a controller is required for ensuring effective and complete protection of data subjects. Joint controllership does not require each actor to have access to personal data. If the BE Court of Appeal finds that there was a joint controllership, such joint controllership would not extend automatically to the subsequent processing of personal data by TCF operators and third parties (e.g. processing for displaying personalized advertising to users).

7. What’s next? Impact for other associations?

The appeal proceedings will now resume before the BE Court of Appeal, which will have to carry out the various factual verifications required by the CJEU.

If the BE Court of Appeal confirms the BE DPA Decision, the TCF will be found in breach of the GDPR. In such a case, IAB Europe would have the obligation to adapt the TCF to bring it into compliance.

Moreover, IAB Europe would have to conclude a joint controllership agreement with its members in line with Article 26 of the GDPR in which they shall define their respective obligations to ensure compliance with the requirements of the GDPR, the exercise of the data subject’s rights, and their respective obligations with regard to the communication of information referred to in Articles 13 and 14. The agreement shall duly reflect the respective roles of the joint data controllers and their relationship. Irrespective of the terms of the agreement, the data subject may exercise the rights conferred on him or her by the GDPR in respect of and against each of the data controllers.

Liability Toward Data Subjects

In terms of liability towards data subjects, it is important to note that Article 82 of the GDPR stipulates that joint data controllers are jointly and severally liable for any damage suffered. In other words, a user who has suffered material or non-material (moral) damage as a result of TCF’s breach of the GDPR would have the right to request full compensation for such damage from IAB Europe or its members. Recently the CJEU has interpreted the concept of damage broadly, by ruling that the fear experienced by a data subject concerning a possible misuse of his or her personal data by third parties because of an infringement of the GDPR can constitute non-material damage.¹²

The controller may only be exonerated if it can prove that the damage is not attributable to it. Where a controller has paid full compensation for the damage suffered, that controller shall be entitled to claim back from the other controllers involved in the same processing that part of the compensation corresponding to their part of responsibility for the damage.¹³ In practice, it is difficult to calculate the degree or extent of responsibility of each controller, and thus the degree or extent of corresponding compensation for the damage.

In the joint controllership agreement, controllers can allocate responsibility and financial impact of liability among themselves. During commercial and contractual negotiations, a controller may seek to transfer liability to other controller(s), with exception for damages caused intentionally or due to gross negligence. They might agree that their liability cannot exceed a specific capped amount (e.g., value of the commercial contract). However, it is essential to note that liability limitation clauses within joint controllership agreements do not affect third parties, such as data subjects. These agreements cannot restrict data subjects’ rights under the GDPR or limit the liability of (joint) controllers concerning compensation for data subjects. While claims made by data subjects cannot be restricted, controllers can still include indemnification clauses in the contract. These clauses allow controllers to compensate each other for losses resulting from such claims and may specify conditions under which indemnification is directly enforceable.

Broader Implications

The IAB Europe case is relevant for any association that sets rules and standards for its industry members encompassing personal data processing, even if it does not directly participate in data processing or has access to the data. Such associations and their members should reassess their roles in personal data processing and ensure they understand their responsibilities, depending on the specific circumstances.

Annex 1: Visual representation of this complex online marketing environment created by Pierstone Brussels ©.

Footnote(s):

¹ REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, the “GDPR”).

² DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, the “ePrivacy Directive”).

³ Belgian Data Protection Authority, Litigation Chamber, Decision on the merits 21/2022 of 2 February 2022 (Number of the file: DOS-2019-01377).

⁴ See also the CJEU ruling C-582/14 of 19 October 2016, Patrick Breyer t. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, para. 46FR. ZUIDERVEEN BORGESIUS, « Singling out people without knowing their names – Behavioural targeting, pseudonymous data, and the new Data Protection regulation », Computer Law & Security Review, vol. 32-2, 2016, pp. 256-271.

⁵ For examples of broad interpretation of personal data, see: case “Breyer” C-582/14, Judgement of the Court (Second Chamber) from 19 October 2016; case “Nowak” C-434/16, Judgement of the Court (Second Chamber) from 20 December 2017; For examples of broad interpretation of (joint) data controller, case C-25/17, Judgement of the Court (Grand Chamber) from 10 July 2018; case C-210/16, Judgement of the Court (Grand Chamber) from 5 June 2018; case C-40/17, Judgement of the Court (Second Chamber) from 29 July 2019; case C-272/19, Judgement of the Court (Third Chamber) from 9 July 2020.

⁶ Belgian Data Protection Authority, Litigation Chamber, Decision on the substance 40/2023 of 3 April 2023 (Number of the file: DOS-2022-01387).

⁷ Belgian Data Protection Authority, Litigation Chamber, Decision on the substance 188/2022 of 21 December 2022 (Number of the file: DOS-2022-00944).

⁸ Belgian Data Protection Authority, Litigation Chamber, Decision on the merits 71/2020 of 30 October 2020 (Number of the file: DOS-2018-07299).

⁹ Belgian Data Protection Authority, Litigation Chamber, Decision on the merits 165/2023 of 11 December 2023 (Number of the file: DOS-2022-02499).  

¹⁰ Case C-604/22, Request for a preliminary ruling from the Brussels Court of Appeal (Belgium) lodged on 19 September 2022 – IAB Europe v Gegevensbeschermingsautoriteit; Other parties: TR and Others, available: CURIA – Documents (europa.eu)

¹¹ Case C-604/22, Judgement of the Court (Fourth Chamber) from 7 March 2024, available: CURIA – Documents (europa.eu)

¹² Case C‑340/21, Judgement of the Court (Third Chamber) from 14 December 2023, available: CURIA – Documents (europa.eu).

¹³ CJEU recognized in one of the landmark cases that the existence of shared responsibility does not necessarily imply equal responsibility. See case C-210/16, Judgement of the Court (Grand Chamber) from 5 June 2018, available: CURIA – Documents (europa.eu)