Court of Appeal of Brussels - 2022/AR/292: Difference between revisions

From GDPRhub
(Clarification of the short summary.)
 
(6 intermediate revisions by 2 users not shown)
Line 5: Line 5:
|Courtlogo=Courts_logo1.png
|Courtlogo=Courts_logo1.png
|Court_Abbrevation=Hof van Beroep
|Court_Abbrevation=Hof van Beroep
|Court_Original_Name=Hof van Beroep Brussel
|Court_Original_Name=Court of Appeal of Brussels (Belgium)
|Court_English_Name=Market Court of the Brussels appeal court
|Court_English_Name=Market Court of the Brussels appeal court
|Court_With_Country=Hof van Beroep Brussel (Belgium)
|Court_With_Country=Court of Appeal of Brussels (Belgium)


|Case_Number_Name=Tussenarrest 2022/AR/292
|Case_Number_Name=Tussenarrest 2022/AR/292
Line 53: Line 53:
|GDPR_Article_14=Article 39 GDPR
|GDPR_Article_14=Article 39 GDPR
|GDPR_Article_Link_14=Article 39 GDPR
|GDPR_Article_Link_14=Article 39 GDPR
|GDPR_Article_15=
|GDPR_Article_15=Article 4(1) GDPR
|GDPR_Article_Link_15=
|GDPR_Article_Link_15=
|GDPR_Article_16=
|GDPR_Article_16=Article 4(7) GDPR
|GDPR_Article_Link_16=
|GDPR_Article_Link_16=


Line 73: Line 73:
|Party_Link_2=
|Party_Link_2=


|Appeal_From_Body=GBA
|Appeal_From_Case_Number_Name=
|Appeal_From_Case_Number_Name=
|Appeal_From_Status=
|Appeal_From_Status=
Line 86: Line 85:
}}
}}


The Court referred two questions to the ECJ. They asked whether an IC-String (code containing the user's consent decision) is personal data and about the nature of joint controllers.   
The Belgian Court of Appeal (Marktenhof) referred two questions to the CJEU. It asked whether an TC-String (code containing the user's consent decision) is personal data and asked about the nature of joint controllers.   


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The DPA received complaints against a digital advertising company called ‘Interactive advertising bureau Europe’, in short ‘IAB’ (controller).  
The Belgian 'Gegevensbeschermingsauthoriteit' (DPA) received multiple complaints against IAB, a digital advertising company (alleged controller). The complaints concerned the ‘Transparency and Consent Framework (TCF), which was developed by the alleged controller. TCF is a standard technical framework that enables websites, advertisers and ad-agencies to obtain, record, and update consumer consent, objections and preferences for web pages. TCF was meant to help companies to become more GDPR compliant. Also, TCF makes it overall easier to record preferences of data subject for companies that use the so called ‘consent management platform’ (CMP), which is an interface that appears when a data subject first navigates to a websites or uses an application for the first time. Here, a data subject can give consent for the collecting and/or sharing of personal data or object to the processing of his/her data. These preferences are then saved and encoded in a ‘TC-string,’ which can be shared with other companies. The CMP also places a cookie on the device of the data subject in question. The TC string and this cookie could also be coupled with the IP-address of the data subject.  


The complaint concerned the ‘Transperancy and consent Framework (TCF)’. This is an advertising framework for online ‘real time advertising’ that was originally developed by the controller. TCF was meant to help companies using the OpenRTB protocol to become more GDPR compliant. This OpenRTB protocol is one of the most used protocols for the practice of ‘real time bidding’: the sale of online user profiles and advertising space on the web to advertisers. When users visit a website or application that contains ads, an online auction takes place where advertisers can try to outbid one another and win the possibly to display an advertisement to the specific user, based on the personal preferences this user.
Following the several complaints, the DPA started an investigation into IAB. After the DPA finished its investigation, it fined the alleged controller €250,000. In its decision, the DPA held amongst other things that IAB was the controller with regard to the processing of the registration of consent and objection of data subjects in the TC-string.


Based on the above, TCF plays a role in the architecture of the OpenRTB protocol. TCF also makes it overall easier to record preferences of users for companies that use the so called ‘consent management platform’ (CMP). CMP is an interface that appears when a user first navigates to a websites or uses an application for the first time. Here, a data subject can give consent for the collecting and/or sharing of personal data or object to the processing of his/her data. These preferences are then saved and encoded in a so called ‘TC-string’. This TC-string is then shared with companies who participate in the OpenRTB system.
The DPA also held that the alleged controller had to bring its processing activities in compliance with the GDPR. It had to provide a legal ground for processing in the context of TCF. It also needed to restrict its customers from using an opt-in consent in the CMP-interface, where data subjects would consent to legitimate interest (Article 6(1)(f) GDPR) as a legal basis. In addition, the alleged controller had to implement appropriate technical and organizational measures to guarantee the integrity and confidentiality of a TC-string and had to check its customers taking part in TCF if they were GDPR compliant.


This way, all the companies in the OpenRTB system can know for what processing the data subject has given consent and to what processing the data subject has objected. The CMP also places a cookie on the device of the data subject in question. The TC string and this cookie can also be coupled with the IP-address of the user.
The alleged controller appealed the DPA’s decision at the Belgian Court of Appeal. It requested the Court to overturn the previous decision on various grounds. It held amongst other things that it wasn’t the (joint) controller for processing operations with the TC-string. It also stated that it didn’t process personal data in the first place.  


The DPA ordered an investigation into the practices of the controller. After the investigation was concluded, the DPA fined the controller €250,000 for various GDPR violations. In its decision, the DPA held that IAB was the controller with regard to the processing of the registration of consent and objection of users using the TC-string. The controller opposed this. The DPA also held that the controller had to implement the following:
During this appeal, the complainants voluntarily joined the proceedings with their own requests, primarily supporting the DPA in its arguments. The main request of the complainants entailed the referral of questions to the European Court of Justice (CJEU). These were in essence the following:


The controller had to provide a legal ground for the TC-string and the cookie that was placed on the device of the user (Article 5(1)(a) and 6 GDPR). The DPA held that the controller should make the use of legitimate interest as a legal ground forbidden in the terms of service for companies that used TCF in its current form. 
Question 1: Is the TC-String (with or without a combination with an IP-address) personal data for the controller? Is a TC-String personal data? And in combination with an IP-address?


The controller also had to guarantee the safety and integrity of a TC-string and check organizations taking part in TCF if they are GDPR compliant (Article 5(1)(f), 24, 25 and 32 GDPR). 
Question 2: Is IAB a (joint) controller?


The controller also had to prevent companies from using automatic consent / opt-in on the basis of legitimate interest (Article 24 and 25 GDPR). 
=== Holding ===
 
The Court suspended the case and referred the following questions to the CJEU:   
The controller also got an obligation to make CMP GDPR-compliant to provide transparency and information (12 to 14 and 24 GDPR). 
 
The controller also had to add the processing of personal data in TCF to their registry of processing activities (article 30 GDPR). The controller also had to conduct a DPIA (article 35 GDPR) and appoint a DPO (article 37-39). 


The measures needed to implemented within 6 months. If the controller would fail to do this, the controller would face a daily penalty of €5000. 
1)  
 
The controller appealed this decision by the DPA with the following requests for the court: Destroy the previous decision on various grounds, hold that the controller had done nothing wrong and to let the DPA and the complainant pay for the costs of the proceedings. It held amongst other things that it wasn’t the controller for processing operations for companies that used the TC-string. 
 
During this appeal, the complainants voluntarily joined the proceedings with their own requests, primarily supporting the DPA in its arguments. The main request of the complainants entailed the referral of questions to the court of justice. The DPA agreed with this request. The controller stated that the referral of questions to the ECJ was not really necessary, but when questions would be referred that these should be objective and relevant.
 
=== Holding ===
The Belgium Court rejected several arguments of the controller in its appeal against the decision by the DPA. However, the central point of this interlocutory judgment is the referred questions to the European Court of Justice (ECJ).   


The court held that the proposed questions were essentially the following:   
Is the TC-string personal data (with or without a combination with an IP-address) for the alleged controller and/or with regard to companies that use the TC-string? (Article 4(1) GDPR)


Question 1: Is the TC-String (with or without a combination with an IP-address) personal data for the controller? 
2)  


Question 2: Is the controller a joint controller?  
a) Is IAB a (joint) controller (Article 4(7) GDPR and Article 24(1) GDPR)?


The court suspended the case and referred the following questions (reformulated) to the ECJ before making a decision in this case: 
b) Does it matter whether or not IAB has access to the personal data which is processed by companies that use the standards of IAB?


Question 1:
c) If IAB is indeed a (joint) controller, does this also entail responsibility for further processing by third parties regarding the preferences of data subjects, such as targeted online advertising?
Is the TC-string personal data (with or without a combination with an IP-address) with regard to the controller and/or with regard to companies that have access to the TC-string?  


Question 2:
Is IAB a (joint) controller? And does it matter whether or not IAB has access to the personal data which is processed by companies that use the standards of IAB? And when IAB is indeed a (joint) controller, does this also entail responsibility for further processing by third parties regarding the preferences of internet users, such as targeted online advertising? 
== Comment ==
== Comment ==
''Share your comments here!''
''Share your comments here!''

Latest revision as of 09:55, 14 December 2023

Hof van Beroep - Tussenarrest 2022/AR/292
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 24 GDPR
Article 25 GDPR
Article 30 GDPR
Article 32 GDPR
Article 35 GDPR
Article 37 GDPR
Article 38 GDPR
Article 39 GDPR
Decided: 07.09.2022
Published:
Parties:
National Case Number/Name: Tussenarrest 2022/AR/292
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: GBA (in Dutch)
Initial Contributor: n/a

The Belgian Court of Appeal (Marktenhof) referred two questions to the CJEU. It asked whether an TC-String (code containing the user's consent decision) is personal data and asked about the nature of joint controllers.

English Summary

Facts

The Belgian 'Gegevensbeschermingsauthoriteit' (DPA) received multiple complaints against IAB, a digital advertising company (alleged controller). The complaints concerned the ‘Transparency and Consent Framework (TCF), which was developed by the alleged controller. TCF is a standard technical framework that enables websites, advertisers and ad-agencies to obtain, record, and update consumer consent, objections and preferences for web pages. TCF was meant to help companies to become more GDPR compliant. Also, TCF makes it overall easier to record preferences of data subject for companies that use the so called ‘consent management platform’ (CMP), which is an interface that appears when a data subject first navigates to a websites or uses an application for the first time. Here, a data subject can give consent for the collecting and/or sharing of personal data or object to the processing of his/her data. These preferences are then saved and encoded in a ‘TC-string,’ which can be shared with other companies. The CMP also places a cookie on the device of the data subject in question. The TC string and this cookie could also be coupled with the IP-address of the data subject.

Following the several complaints, the DPA started an investigation into IAB. After the DPA finished its investigation, it fined the alleged controller €250,000. In its decision, the DPA held amongst other things that IAB was the controller with regard to the processing of the registration of consent and objection of data subjects in the TC-string.

The DPA also held that the alleged controller had to bring its processing activities in compliance with the GDPR. It had to provide a legal ground for processing in the context of TCF. It also needed to restrict its customers from using an opt-in consent in the CMP-interface, where data subjects would consent to legitimate interest (Article 6(1)(f) GDPR) as a legal basis. In addition, the alleged controller had to implement appropriate technical and organizational measures to guarantee the integrity and confidentiality of a TC-string and had to check its customers taking part in TCF if they were GDPR compliant.

The alleged controller appealed the DPA’s decision at the Belgian Court of Appeal. It requested the Court to overturn the previous decision on various grounds. It held amongst other things that it wasn’t the (joint) controller for processing operations with the TC-string. It also stated that it didn’t process personal data in the first place.  

During this appeal, the complainants voluntarily joined the proceedings with their own requests, primarily supporting the DPA in its arguments. The main request of the complainants entailed the referral of questions to the European Court of Justice (CJEU). These were in essence the following:

Question 1: Is the TC-String (with or without a combination with an IP-address) personal data for the controller? Is a TC-String personal data? And in combination with an IP-address?

Question 2: Is IAB a (joint) controller?

Holding

The Court suspended the case and referred the following questions to the CJEU:

1)

Is the TC-string personal data (with or without a combination with an IP-address) for the alleged controller and/or with regard to companies that use the TC-string? (Article 4(1) GDPR)

2)

a) Is IAB a (joint) controller (Article 4(7) GDPR and Article 24(1) GDPR)?

b) Does it matter whether or not IAB has access to the personal data which is processed by companies that use the standards of IAB?

c) If IAB is indeed a (joint) controller, does this also entail responsibility for further processing by third parties regarding the preferences of data subjects, such as targeted online advertising?

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.