The Internet Advertising Bureau (IAB) Europe’s Transparency and Consent Framework (TCF) was supposed to be a “cross-industry best practice standard” to help thousands of publishers, adtech vendors and consent management platforms (CMPs) comply with the GDPR.
But in a decision from the Belgian data protection authority (DPA) in February, the TCF was deemed incompatible with GDPR—and thousands of companies using the scheme were left in limbo.
On Wednesday, following an appeal by the IAB, a Belgian court referred a series of questions to the Court of Justice of the European Union (CJEU). The case has huge implications for digital advertising, the definition of “personal data”, and the nature of controllership under the GDPR.
This article will break down the Belgian court’s questions for the CJEU one by one.
Question 1 a) Is the TC String Personal Data?
1. a) Should Article 4.1 of Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, read in conjunction with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a string of characters which captures in a structured and machine-readable way an internet user’s preferences in relation to the processing of his personal data, constitutes personal data within the meaning of the aforementioned provision in relation to (1) a sector organisation that makes a standard available to its members in which it prescribes to them in which way that string has to be generated, stored and/or distributed practically and technically, and (2) the parties that have implemented that standard on their websites or in their apps and in this way have access to that string?
This question is about the “Transparency Consent String” (TC String), which the court defines as “a string of characters which captures in a structured and machine-readable way an internet user’s preferences in relation to the processing of his personal data”.
The TC String is a code that expresses data about users’ advertising consent preferences, including the purposes for which providers may process a user’s data and which providers have obtained the user’s consent.
The court asks whether the TC String can be considered “personal data” in certain contexts (which we’ll come to below) in relation to the following legal provisions:
- Article 4 (1) of the GDPR (which defines “personal data”)
- Article 7 of the Charter of Fundamental Rights (CFR) (the right to privacy)
- Article 8 of the CFR (the right to data protection)
Information can be “personal data” in some contexts but not in others. The court wants to know if the TC String is “personal data” in relation to:
- The IAB
- Publishers who are implementing the TCF on their websites and apps
→ SEE ALSO: Certified GDPR training courses
Why does it matter?
A core part of the case against the IAB hinges on whether the TC String is personal data (and, also, whether it might be personal data when combined with an IP address—but more on that below).
This is important because one way in which the TC String is shared with TCF participants is via a domain managed by the IAB.
The IAB argues that the TC String is not personal data. While the IAB may have some control over the TC String, the group claims it is not controlling any personal data and thus is not a controller—just a “managing organisation” (or, in the court’s language, a “standards setter”).
The complainants, including Johnny Ryan of the Irish Council of Civil Liberties (ICCL), argue that the TC String is personal data. This could make the IAB a controller—not just a “standards setter”—and thus directly liable under the GDPR.
The Belgian DPA determined that the TC String is not—in itself—personal data. But there was an important caveat, which we’ll look at below.
Question 1 b) Is the TC String Personal Data When Combined With an IP Address?
b) Does it make a difference if the implementation of the standard means that this string is available together with an IP address?
Under the GDPR, personal data must relate to an “identified or identifiable natural person (living individual)”.
In the Belgian DPA’s February 2022 decision, it accepted that it had not “conclusively established” whether “the TC String, due to the limited metadata and values it contains, in itself allows for direct identification of the user”.
However, some information, while it can’t be used to directly identify an individual, can identify an individual indirectly—when combined with other data.
→ #RISK: Europe’s Leading Risk Focused EXPO - November 16 & 17, Excel, London
Risk is now everyone’s business
The Belgian DPA found that this was the case regarding the TC String. When a CMP stores or reads the TC String on a user’s device, “it inevitably also processes the user’s IP address”.
An IP address, the Belgian DPA stated, is “explicitly classified as personal data under the GDPR”.
“The possibility of combining the TC String and the IP address means that this is information about an identifiable user,” the DPA said.
Question 1 c) What if the IAB Can’t Access the Personal Data?
c) Does the answer to questions a) + b) lead to a different conclusion if this standard-setting sector organisation itself does not have legal access to the personal data processed by its members within this standard?
This question is about whether the fact that the IAB can access users’ IP addresses means it is controlling personal data.
Recall that, according to the Belgian DPA, TC Strings are not personal data in themselves. But TC Strings could be personal data in the hands of an entity that can combine them with IP addresses—and thus (arguably) identify the individual to whom a TC String relates.
The IAB stores TC Strings but not IP addresses. Therefore, the IAB argues that it does not control personal data.
However, the DPA found that the IAB could access both TC Strings and IP addresses by requesting this data from CMPs.
The DPA concluded this from the IAB’s TCF Policies, which state that CMPs must “ maintain records of consent” and “provide [the IAB] access to such records upon request”.
Following a well-known EU court case known as “Breyer”, the DPA concluded that, even if the IAB doesn’t hold both TC Strings and IP addresses, the fact that it can lawfully access IP addresses via CMPs means it is processing personal data.
The DPA thus concluded that the IAB has “reasonable means at its disposal” that enable it to ”identify directly or indirectly the user behind a TC String”.
One of the IAB’s grounds for appeal is that the DPA is wrong about this conclusion.
The IAB claims that only CMPs could combine IP addresses and TC Strings in such a way as to identify a user—and only by requesting additional information from an internet service provider.
The IAB argues that—even if this combined data point is personal data—the IAB cannot legally access it and is therefore not processing personal data.
The court, therefore, asks the CJEU whether this supposed lack of legal access to TC Strings in combination with IP addresses makes any difference to whether the IAB or publishers are processing personal data.
Question 2 a) Is the IAB a (Joint) Controller?
2. a) Should Articles 4.7 and 24.1 of Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, read in conjunction with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a standard-setting sector organisation has to be qualified as a data controller if it offers its members a standard for managing consent that, in addition to providing a binding technical framework, contains rules specifying how this consent data, which constitutes personal data, has to be stored and disseminated?
This question asks whether the IAB is a controller, based on:
Article 4 (7) GDPR (which defines a “controller”)
Article 24 (1) GDPR (which requires controllers to comply with the GDPR)
Articles 7 and 8 CFR (the rights to privacy and data protection)
The IAB maintains that it is a “managing organisation” and not a controller. The complainants, and the Belgian DPA, argue that the IAB is a controller.
This is important because, if the IAB is a controller, it should have undertaken certain duties under the GDPR, such as appointing a data protection officer and maintaining a record of processing activities (RoPA).
The question of the IAB’s controllership also has implications on the IAB’s responsibility for the actions of other organisations in the advertising ecosystem. More on that below.
Of course, the question comes down to whether the IAB “determines the purposes and means of the processing of personal data” by fulfilling its role within the TCF.
The IAB denies that it is a controller, claiming that it merely provides information to participants in the TCF.
Distinguishing a well-known CJEU case on controllership, the IAB argued that, “unlike the Jehovah’s Witness Community, IAB Europe does not ‘organise, coordinate or promote’ in any way the processing of personal data by TCF participants.”
In support of the notion that the IAB is a controller, the complainants submit that the IAB determines the purpose and means of the processing of TC Strings, including how they are modified, stored, and shared.
The Belgian DPA sided with the complainants, determining that the IAB is a data controller for the TCF. But the court chose to clarify this point with the CJEU.
Question 2 b) Would the IAB Still Be a Controller If It Couldn’t Access Personal Data?
b) Does the answer to question a) lead to a different conclusion if this sector organisation itself has no legal access to the personal data processed by its members within this standard?
This question is essentially a repeat of question 1 c) in a different context.
The IAB may or may not be a controller because it sets rules about how TCF participants process personal data. But does the question of whether the IAB itself can actually legally access data processed by those TCF participants make a difference?
Is the IAB a controller whether it has access to personal data or not—based solely on the degree of control it has over how others process personal data? Or,
Is the IAB only a controller if it has access to personal data?
Question 2 c) Is the IAB a Joint Controller, and What Are the Implications for Other Organisations?
c) If the standard-setting sector organisation is to be qualified as controller or joint controller for the processing of the preferences of internet users, does this (joint) controllership in European data protection law of the standard-setting sector organisation automatically also extend to the subsequent processing by third parties for which the preferences of internet users were obtained, such as targeted online advertising by publishers and vendors?
This final question for the CJEU examines the nature of joint controllership and whether the finding that the IAB is a (joint) controller extends to participants in the TCF (such as publishers and vendors).
The court wants to know whether a finding that the IAB is a joint controller would mean that the IAB was responsible for any illegal processing undertaken by other actors in the ecosystem, in particular via the real-time bidding (RTB) targeted advertising process.
The complainants say that the IAB is responsible for how other organisations treat personal data in the RTB system. The IAB, unsurprisingly, says it is not.
The court referred this question to the CJEU, stating that “the Court in Luxembourg has not yet had the opportunity to rule on this new and far-reaching technology”.