On 7 September 2022 the Brussels Court of Appeal dismissed numerous grounds of IAB Europe's appeal from a decision of the Belgian Data Protection Authority – Autorité de protection des données ("APD") – and referred various questions relating to fundamental concepts of the GDPR to the Court of Justice of the European Union ("CJEU").
How did we get here?
IAB Europe ("IAB") operates the Transparency and Consent Framework ("TCF") which is designed so that participants in the adtech ecosystem can be transparent with users about how their data is used and obtain a lawful basis, including their consent, for its use. The TCF works by using consent management platforms ("CMPs"), which is what users interact with in order to indicate their preferences. Those CMPs then generate a Transparency and Consent String ("TC String") of letters and numbers which contain that users' chosen preferences. The TC String is what can then be shared within the ecosystem to inform all participants of users' chosen privacy preferences.
In February 2022 the APD found, among other things, that the TCF was not compliant with the GDPR. We have previously written on the details of this decision but notably the APD found that while the TC String could not directly identify users it could indirectly identify them when combined with their IP address and was, therefore, personal data. Additionally, they found IAB were acting as controller in relation to the registration of the users' preferences via the TC String, and joint controller - with CMPs, publishers, and participating adtech vendors - for the collection and dissemination of users' preferences and the subsequent processing of their personal data.
The appeal
IAB quickly indicated that they rejected the finding that they were a data controller of the TCF and suggested this would have "major unintended negative consequences going well beyond the digital advertising industry". It was, therefore, unsurprising that they brought an appeal in respect of the APD's decision.
Nineteen grounds of appeal were raised by IAB which can be broadly generalised as (1) procedural issues, (2) contesting whether the TC string constitutes personal data, (3) contesting both elements of IAB's controllership, and (4) contesting whether IAB violated their obligations under the GDPR.
Eight of the nineteen grounds were procedural, but five of those were considered to be unfounded. Two procedural grounds were "well-founded in part" and related to the fact the APD simply included additional allegations and complaints in their decision after the hearing, which was not sufficiently diligent. Despite this, the Court emphasised that they were not suggesting there should have been an additional investigation - as IAB had argued.
The outcome in relation to the other grounds is now left in limbo after six questions were referred to the CJEU. Effectively, to address the remaining grounds, the Court needs authoritative guidance as to whether the TC string is personal data for IAB and whether IAB are a joint controller. Considering the complexities involved in these circumstances, however, these two issues necessitated three separate questions each.
In relation to whether the TC string is personal data, they asked:- Should the definition of personal data in the GDPR be interpreted as meaning that a character string recording the preferences of an internet user in connection with the processing of his personal data in a structured and machine-readable manner constitutes personal data in relation to (1) a sectoral organisation (i.e. IAB) which makes available to its members a standard by means of which it prescribes the practical and technical manner in which that character string must be generated, stored and/or disseminated, and (2) the parties which have implemented that standard on their websites or in their apps and which thus have access to that character string?
- Does it make a difference if the implementation of the standard means that this character string is available together with an IP address?
- Does the answer to questions one and two lead to a different conclusion if this standard-setting sector organisation itself does not have legal access to the personal data processed by it within this standard?
As to IAB's controllership, they asked:
- Should the definition of controller in, and the controller's obligation to comply with, the GDPR be interpreted as meaning that a standard-setting sectoral organisation (i.e. IAB) must be classified as a data controller where it offers its members a standard for managing consent which, in addition to providing a binding technical framework, includes rules specifying how consent data, that is personal data, is to be stored and disseminated?
- Does the answer to question one lead to a different conclusion if this sector organisation itself has no legal access to the personal data processed by its members within this standard?
- If the standard-setting industry association must be designated as the controller or joint controller for the processing of the preferences of Internet users, does that (joint) responsibility of the standard-setting industry association also automatically extend to the subsequent processing by third parties for which the preferences of Internet users were obtained, such as targeted online advertising by publishers and vendors?
What happens now?
The proceedings have now been suspended, so we must simply wait to understand how these points should be interpreted before attention can turn to the remaining grounds of appeal. Inevitably, considering how complicated the circumstances are, this may well take years.
In the meantime, IAB did submit an action plan of corrective measures to the APD back in April - as required by the APD's original decision - which they have indicated they will continue to assess.
While it's fair to say that the challenges of the adtech ecosystem is hardly news, which we have written about more broadly, the CJEU's answers could fundamentally change our understanding of key aspects of the GDPR. The TCF is a complex system which many criticise as being something of a 'compliance theatre' providing only an illusionary form of compliance which fails to achieve the underlying purposes of the GDPR. Comparatively, many also consider it the only viable option to address transparency and consent in the ecosystem.
All we can do for now is watch this space...
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.