On 7 March 2024 the Court of Justice of the European Union (CJEU) issued its judgment in response to two questions that were referred to it by the Belgian Court of Appeal, about protocols related to what is known as “Real-Time Bidding” (RTB) for targeted online advertising.
The questions stem from an appeal by IAB Europe in relation to the Belgian Data Protection Authority's (DPA) assessment of IAB Europe’s status as a data controller under the EU GDPR. The DPA's litigation department had issued corrective measures and imposed an administrative fine against IAB Europe following a series of complaints received since 2019.
The judgment provides clarity on how tracking numbers referred to as the “TC String” might be categorised as “personal data”, and the situations in which a sectoral organisation might be a controller or joint controller of data under the EU GDPR.
Most people will be familiar with the cookie pop-ups on websites that request consent for advertising purposes. RTB is the most common system for placing adverts on websites. The RTB system involves advertisers in a variety of industries live bidding during an individual's use of a website for the advertising on the site. Under the EU GDPR, RTB had become difficult to operate as the tracking and targeting of individuals required prior consent which was difficult to achieve in a compliant manner, particularly as the concept of "consent" has developed and the penalties for non-compliance have increased under EU GDPR.
IAB Europe is a European advertising group, which developed, implemented, and promoted a framework and platform which allowed for the collection of consent, to enable the RTB system. The framework involves the large-scale processing of data and the application of a string of character-based code with advertisers and data brokers to track the individual's consent and interests for targeting advertising. This code, referred to as the “TC String", facilitated the RTB process by interacting with a cookie placed on the individual's browser, to identify whether they had consented to the processing of their information for the purpose of the targeted advertising. The cookie is also connected to the IP address of the individual.
The data used for the targeted advertising included various data shared and collected by advertisers who rely on the “legitimate interests” lawful basis for processing contained within Article 6(1)(f) of the EU GDPR. The personal data ranged from gender, age, information on the individual's location and recent search and purchase history.
IAB Europe argued that it was not a controller as it did not process data itself, but only established the system and rules for processing.
The two questions referred to the CJEU can be distilled into the following: (i) was the TC String personal data, and (ii) was IAB Europe, as the implementer of the framework for the TC String, a "controller" for the purpose of the EU GDPR?
TC String as Personal Data
The DPA argued that the TC String is personal data according to the definition at Article 4(1) of the EU GDPR, on the basis that when linked with other data, the individual user to whom it relates becomes identifiable. The CJEU found that the scope of Article 4(1) was intentionally wide, and in line with existing case law on the matter, where it was possible that the individual could be identified, then the data was personal. The court agreed with the view of the DPA and found that IAB Europe and its members had sufficient access to information to combine with the TC String to make it identifiable, meaning that it was personal data within the scope of Article 4(1).
IAB Europe as a Controller
Under Article 4(7) a controller is an entity which jointly or with others determines the purposes and means of processing the personal data. The CJEU recalled that an entity that exerts influence over the processing of personal data is also a controller, referencing by analogy Jehovan todistajat C-25/17 10 July 2018. The CJEU said also that IAB Europe set out rules within the framework as to how the TC String containing the details of an individual's consent may be used, stored and shared, and would revoke access to the Strings should members fail to abide by the rules. Accordingly, it is exerting influence over the processing of personal data. Therefore, the court considered the IAB Europe was a joint controller, despite the fact that the organisation of the framework was such that IAB would never have direct access to personal data beyond the TC Strings. However, the joint controllership does not extend to the subsequent processing of data that occurs by third parties for the targeting of adverts based on their preferences.
This decision will have an impact on all digital processing in the EU as it highlights just how broad the protections under GDPR should be applied. It continues a trend in the CJEU of being willing to find joint controllership. It may also mean that, in time, we see significant changes in how consent to data processing is obtained and shared within the digital advertising industry which, for consumers, may mean changes to cookie banners.
It’s important to note that, post-Brexit, judgments of the CJEU in relation to the EU GDPR do not apply in the UK, let alone bind the domestic courts or the Information Commissioner’s Office (though the UK courts may 'have regard' to those decisions). So, although the CJEU’s findings should be noted, especially by anyone who makes use of the TCF framework, it remains uncertain what the effect of the judgment will be in the UK.