29/09/2022 Earlier this year the Belgian data protection authority (“BE DPA”) issued a €250.000 fine to the Interactive Advertising Bureau Europe (“IAB”) for multiple GDPR violations stemming from its Transparency & Consent Framework (“TCF”). The IAB chose to appeal the decision of the BE DPA. Earlier this month, the Belgian Court of Appeal decided to refer two preliminary questions to the CJEU – 1) is the TC String considered personal data?, and 2) is IAB Europe a joint data controller? The CJEU’s answer to these questions is highly anticipated and will likely have vast consequences for the advertising industry, which is experiencing a period of uncertainty since the BE DPA’s decision. The timeline of the case and the importance of CJEU’s ruling will be explained below.
The most crucial element of the TCF is the Transparency and Consent String (“TC String”), a coded set of characters that contains all relevant information about a person’s preferences, which is then disseminated throughout the adtech ecosystem. The CMPs collect data from the end-user about whether they have consented to the sharing of their personal data, which is then communicated through the TCF to other participants via the TC String. The TC String codes and stores the responses of the user.
The complex set-up of the TCF renders the allocation of data controlling responsibilities difficult, further complicated by the vast number of legal entities participating in the TCF (820 as of September 2022, according to IAB’s "Global Vendor List"). As such, there have been numerous complaints filed to data protection authorities (“DPAs”) across the EU regarding the OpenRTB use of personal data. On the basis of these complaints, the BE DPA took on the role of lead supervisory authority into the TCF’s compliance with the GDPR.
The initial decision and fine
On February 2nd, 2022, the BE DPA, in collaboration with other concerned supervisory authorities throughout the EU, issued a decision which found IAB to be a data controller since it has a “decisive influence on the purpose and means of the processing by imposing compulsory TCF parameters”. In addition, it found IAB and the other TCF participants to be joint controllers for the collection and subsequent dissemination of users' consent, choices and objections, as well as for the related processing of their personal data. It also found the TC String to constitute personal data since IAB can collect additional information, including special categories of personal data, alongside the user’s preferences. These preferences in a TC String are considered personal data since they could be linked to a single identifiable user via their IP address.
Based on these findings, the BE DPA found IAB to be infringing upon several GDPR requirements and principles:
- It failed to establish a correct legal basis for the personal data processing under the TCF, including processing of special categories of data.
- It failed to reach the transparency and information requirements.
- It failed to reach the accountability and data protection by design and default principles, as well as integrity and confidentiality, and security of data processing.
- It failed to keep a register of processing activities, appoint a data protection officer, or conduct a data protection impact assessment.
- A myriad of additional potential infringements.
The BE DPA fined IAB €250.000 and ordered it to create a corrective action plan within two months and a maximum of six months to fully bring the TCF in line with the GDPR. Additionally, it ordered IAB to delete all illegally obtained personal data.
IAB appeal and Belgian Court of Appeal judgement
IAB initially responded to the decision by issuing a statement and FAQ regarding the meaning of the decision. In doing so, IAB reported that the decision does not truly invalidate the TCF, but rather, it primarily relates to the control of IAB over the TC Strings. It rejected the notion that IAB is a data controller and claimed that the TCF is simply a standard-setting framework within which adtech stakeholders can communicate. The IAB also rejected the categorisation of the TC String as personal data just because it could be used to link an IP address to its user. As such, IAB filed an appeal, and the Belgian Court of Appeal (“Court”) in turn issued its interim judgement in light of this appeal on September 7th, 2022.
In its interim judgement, the Court dismissed the majority of IAB’s claims regarding the validity of BE DPA’s decision. However, more important, it chose to withhold its ruling by referring two preliminary questions to the CJEU.
Importance of referred preliminary questions
1. Is the TC String, whether or not in combination with an IP address, personal data?
The BE DPA claims that the TC String is personal data because by creating the string and accessing it from the user’s cookies, personal data which includes the IP address, is visible to the CMPs involved. Therefore, the TC String is always related to an identified or identifiable individual. Moreover, the purpose of the data processing within the TCF is to make tailor-made advertising, so it can be assumed that a controller or other parties shall identify the end-user.
IAB refuted these claims. Instead, it claims it only sets the practical and technical manners in which the string is generated, stored and used, and does no actual processing of the disseminated user data.
2. Is IAB Europe a joint data controller?
IAB rejects its designation as data controller since it claims it does not own, process, or decide upon the use of the specific strings. Conversely, the BE DPA claims that actual access to the TC Strings does not matter since IAB, as the architect of the TCF, determines the purposes and means of the data processing. They claim, therefore, that IAB effectively has controllership over the intercommunicated personal data. Furthermore, the BE DPA states that since the other participants in the OpenRTB must follow the TCF’s explicit rules, the processing of personal data is interwoven, and no party can be singled out within the system. Although the BE DPA states that the CMPs can deviate from TCF’s policies regarding the essential means of the data processing, thus being fully responsible for it, if they apply those policies, the IAB is jointly responsible for the processing activities.
Implications and consequences
Given the current uncertainty about the validity of the TCF, final answers to both preliminary questions are of key importance. While the BE DPA’s decision and fine are aimed towards IAB Europe and not the TCF’s participants, adtech stakeholders are inevitably concerned. Already today, we see that the Dutch DPA specifically instructs companies not to use the TCF, and indicates that if they are not sure about the GDPR compliance of another such framework, to refrain from using it.
The Court’s interim ruling does not suspend the initial decision of the BE DPA. However, it does inevitably delay the enforcement thereof. The industry will now have to await the CJEU answers to these key questions. Such answers will no doubt present major consequences on the practice of profiling and tailor-made advertising, and on the entire digital advertising industry as a whole. When exactly those answers will be provided is unclear, but a further year of uncertainty is to be expected.
If you have questions about the validity of the TCF, use of the framework, or questions about the impact of these developments on your organization, do not hesitate to contact us.