- The ECJ considers the TC string to be personal data, as it contains user preferences and can be identified with additional information (e.g. IP).
- IAB Europe is considered a joint controller according to Art.4 No.7 and Art.26 GDPR, because the TCF co-determines the purposes and means of processing, even without direct access to data.
On March 7, 2024, the ECJ issued the long-awaited Judgment Case 604/22 in the IAB Europe case liked. IAB Europe is an association in Belgium that represents the digital advertising industry at European level. Its members include publishers (i.e. the companies that provide digital advertising space), marketing companies, intermediaries and national associations.
Not surprisingly, the ECJ judges IAB Europe to be in agreement with its members jointly responsible for the collection and transmission of user preferences via the TCFthe Transparency & Consent Framework, from IAB Europe. These preferences are also intended to be personal data for IAB Europe, although IAB Europe itself cannot carry out any identification.
In substance, however, the ECJ is not introducing singularization – if it is not already – but extends the consequence of a downstream identification option in the processing chain to upstream links. This certainly doesn’t make life any easier when it comes to data processing based on the division of labor.
The IAB has developed a Media release and a Update to their FAQ on the procedure published,
The TCF
IAB Europe has developed the “Transparency & Consent Framework” (TCF) to provide a standardized framework for compliance with the Cookie Directive (and possibly the future ePrivacy Regulation) and the GDPR. The TCF is one way, standardized
- users about the use of cookies and similar technologies and the disclosure of their data in a certain way. inform and
- Consents for certain purposes within the universe determined by the IAB and for disclosure to certain recipients (or to object to certain processing based on a legitimate interest).
Every company that participates in the TCF must specify which processing it wishes to carry out and which legal basis it uses for this.
What happens afterwards is particularly relevant for the present judgment: Using a standardized protocol, coded in the “TC String” – i.e. a non-human-readable, supplied text/number string for each website or app and each user – to transfer consent information between websites, advertisers and their technology partners. The string is generated via a Java script or an image with an encoded URL and contains information about the last update, the companies participating in the TCF (“Global Vendor List”), the user’s consent to the processing of their data (purpose/vendor), the legitimate interests stated by the vendor and whether the user has objected to these purposes, information and, if applicable, the publisher’s consent to the use of data for their own purposes, the publisher’s country and certain information in this context and other information.
This is to ensure that all market participants respect the consent or lack thereof, publishers, advertisers and technology providers such as demand-side platforms (DSPs) and sell-side platforms (SSPs).
Background and reference questions
Apparently, several complaints have been received against IAB Europe since 2019. The Belgian lead supervisory authority decided 2022IAB Europe is a controller with regard to the recording of consent, objections and user preferences in the TC String. The latter was assigned to an identifiable user. The supervisory authority found violations, including the lack of a legal basis for the transmission of the string and a corresponding privacy policy (obvious, since IAB did not assume that the string was personal), and imposed a fine
IAB Europe lodged an appeal against this with the Brussels Court of Appeal – it was not a controller and the TC string was not personal data, the latter because only the other participants can link the string to an IP address and thus convert it into personal data. The string itself is not user-specific.
The Court of Appeal therefore essentially referred to the ECJ the question of whether the TC String constituted a personal data, also from the perspective of IAB Europe, and whether IAB Europe was a responsible party.
Considerations of the ECJ: “Personal data”
The ECJ bases this question on the wording of the GDPR. Personal data are
all information that relates to an identified or identifiable natural person”,
and identifiable is a person.
which directly or indirectThe data subject can be identified, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The wording “all information” expresses that the concept of personal data is to be interpreted broadly. It is sufficient if information
due to their Contentstheir For the purpose of or their Effects is linked to an identifiable person.
The ECJ refers to its Judgment in favor of CRIF from May 2023, its Pankki decision and the older Breyer decisionand he would also have the “Opinion 4/2007 on the concept of personal data” of the then Article 29 Working Party:
- Indirect identifiability through the “use of additional information” is sufficient;
- it is not necessary for all this additional information to be “in the hands of a single person”;
- Therefore, personal data also includes all information about an identified or identifiable person resulting from the processing of personal data.
From these rather brief indications, the ECJ concludes: In the present case, the TC string contains the user’s preferences, but even if it does not contain any elements that allow direct identification: It is sufficient that it contains preferences, and on the basis of the information in the string
creates a profile of this user and the exact person can actually be identifiedto which this information relates.
It is sufficient that the Connection of the string with IP address data enables identification. That IAB Europe itself cannot make such a connection does not change this – this is of course the crucial point, but here the ECJ apparently assumes that the string is linked to a person due to its purpose. – Furthermore, the members of IAB Europe are in any case obliged to provide IAB Europe with all information that enables identification upon request.
One thinks here of the Logistep decision of the Federal Supreme Court in 2010in which it extended the applicability of the FADP to persons who do not process personal data themselves, but pass on information to a third party who can carry out the identification – in this respect probably a misjudgment, which the Federal Supreme Court had not justified analogously to the ECJ with the purpose or the effects of the processing, but solely with considerations of legal consequences.
In any case:
50 Consequently, a TC string constitutes personal data within the meaning of Art. 4 No. 1 GDPR. In this respect, it is insignificantthat such an industry organization can exist without a contribution from outside, which it can demand, neither has access to the dataprocessed by its members under the rules it has established, nor can it combine the TC-String with other identifiers, such as in particular the IP address of a user’s device. […] In those circumstances, the fact that a sectoral organization in possession of that string has neither access to the data processed by its members within the framework of the rules it has established, nor can combine that string with other elements, without any external contribution, does not preclude that string from constituting personal data within the meaning of that provision.
Considerations of the ECJ: Responsible party
The ECJ begins here with its standard formulation:
… that the aim of the GDPR is in particular to ensure a high level of protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data […].
So you know what’s coming:
- Shared responsibility must each of the controllers individually meets the definition of “controller”. Access to personal data is not required.
- If several responsible persons work together, the decisions must be based on each other. affect the purposes and means of the processing.
- Processing purpose in this case is to support compliance with the GDPR. The TCF is intended to promote trade in advertising space on the internet. IAB Europe thus has an influence on the processing out of its own interests and determines the purposes together with its members.
- With the Means the TCF is a framework for the members and also provides technical specifications that influence the obtaining of consent and the collection and processing of further data. It can therefore be assumed that IAB Europe influences the processing out of its own interests and therefore also determines the means together with the members.
Consequently, according to the case law cited in para. 57 of the present judgment, [IAB Europe] is to be regarded as a “joint controller” within the meaning of Art. 4 no. 7 and Art. 26 para. 1 GDPR.
However, the joint responsibility does not automatically extend to the further processing of the data by publishers, for example. This further processing apparently takes place without the involvement of IAB Europe.
So:
In light of the above, the answer to the second question is that Art. 4 No. 7 and Art. 26 para. 1 sentence 1 GDPR must be interpreted as meaning that
- on the one hand, an industry organization, insofar as it offers its members a regulatory framework it has established with regard to consent in the area of personal data processing, which contains not only binding technical rules, but also rules detailing how personal data relating to this consent must be stored and disseminated, is to be classified as a “joint controller” within the meaning of these provisionsif, taking into account the specific circumstances of the case at hand, it exerts an influence on the processing of personal data in question out of its own interests and thus determines, together with its members, the purposes and means of the processing in question. The fact that such a sectoral organization does not itself have direct access to the personal data processed by its members within this regulatory framework does not preclude it from being a joint controller within the meaning of these provisions;
- on the other hand, the possible joint responsibility of this industry organization does not automatically extend to the further processing of personal data by third parties, such as providers of websites or applications, with regard to user preferences for targeted online advertising.
Further course
The Court of Appeal must now take these indications of the ECJ into account and decide whether and for which processing operations the conditions for joint controllership are effectively met and whether the requirements of the GDPR are fulfilled. In legal terms, however, it may not deviate from the ECJ’s findings. However, the ECJ has not determined or commented on whether the use of the TCF is unlawful.
In the course of the proceedings, IAB Europe submitted an action plan on how to address the concerns of the supervisory authority. The action plan may now be pursued further, but this is not clear at present.