Court of Appeal of Brussels - 2022/AR/292
Hof van Beroep - Tussenarrest 2022/AR/292 | |
---|---|
Court: | Hof van Beroep Brussel (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 25 GDPR Article 30 GDPR Article 32 GDPR Article 35 GDPR Article 37 GDPR Article 38 GDPR Article 39 GDPR |
Decided: | 07.09.2022 |
Published: | |
Parties: | |
National Case Number/Name: | Tussenarrest 2022/AR/292 |
European Case Law Identifier: | |
Appeal from: | GBA |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | GBA (in Dutch) |
Initial Contributor: | n/a |
The Court referred questions to the ECJ. The controller (online advertsing company) developed a standard for saving user preferences, consent and objections to processing in a file, which could be used by companies using the OpenRTB protocol.
English Summary
Facts
The DPA received complaints against a digital advertising company called ‘Interactive advertising bureau Europe’, in short ‘IAB’ (controller).
The complaint concerned the ‘Transperancy and consent Framework (TCF)’. This is an advertising framework for online ‘real time advertising’ that was originally developed by the controller. TCF was meant to help companies using the OpenRTB protocol to become more GDPR compliant. This OpenRTB protocol is one of the most used protocols for the practice of ‘real time bidding’: the sale of online user profiles and advertising space on the web to advertisers. When users visit a website or application that contains ads, an online auction takes place where advertisers can try to outbid one another and win the possibly to display an advertisement to the specific user, based on the personal preferences this user.
Based on the above, TCF plays a role in the architecture of the OpenRTB protocol. TCF also makes it overall easier to record preferences of users for companies that use the so called ‘consent management platform’ (CMP). CMP is an interface that appears when a user first navigates to a websites or uses an application for the first time. Here, a data subject can give consent for the collecting and/or sharing of personal data or object to the processing of his/her data. These preferences are then saved and encoded in a so called ‘TC-string’. This TC-string is then shared with companies who participate in the OpenRTB system.
This way, all the companies in the OpenRTB system can know for what processing the data subject has given consent and to what processing the data subject has objected. The CMP also places a cookie on the device of the data subject in question. The TC string and this cookie can also be coupled with the IP-address of the user.
The DPA ordered an investigation into the practices of the controller. After the investigation was concluded, the DPA fined the controller €250,000 for various GDPR violations. In its decision, the DPA held that IAB was the controller with regard to the processing of the registration of consent and objection of users using the TC-string. The controller opposed this. The DPA also held that the controller had to implement the following:
The controller had to provide a legal ground for the TC-string and the cookie that was placed on the device of the user (Article 5(1)(a) and 6 GDPR). The DPA held that the controller should make the use of legitimate interest as a legal ground forbidden in the terms of service for companies that used TCF in its current form.
The controller also had to guarantee the safety and integrity of a TC-string and check organizations taking part in TCF if they are GDPR compliant (Article 5(1)(f), 24, 25 and 32 GDPR).
The controller also had to prevent companies from using automatic consent / opt-in on the basis of legitimate interest (Article 24 and 25 GDPR).
The controller also got an obligation to make CMP GDPR-compliant to provide transparency and information (12 to 14 and 24 GDPR).
The controller also had to add the processing of personal data in TCF to their registry of processing activities (article 30 GDPR). The controller also had to conduct a DPIA (article 35 GDPR) and appoint a DPO (article 37-39).
The measures needed to implemented within 6 months. If the controller would fail to do this, the controller would face a daily penalty of €5000.
The controller appealed this decision by the DPA with the following requests for the court: Destroy the previous decision on various grounds, hold that the controller had done nothing wrong and to let the DPA and the complainant pay for the costs of the proceedings. It held amongst other things that it wasn’t the controller for processing operations for companies that used the TC-string.
During this appeal, the complainants voluntarily joined the proceedings with their own requests, primarily supporting the DPA in its arguments. The main request of the complainants entailed the referral of questions to the court of justice. The DPA agreed with this request. The controller stated that the referral of questions to the ECJ was not really necessary, but when questions would be referred that these should be objective and relevant.
Holding
The Belgium Court rejected several arguments of the controller in its appeal against the decision by the DPA. However, the central point of this interlocutory judgment is the referred questions to the European Court of Justice (ECJ).
The court held that the proposed questions were essentially the following:
Question 1: Is the TC-String (with or without a combination with an IP-address) personal data for the controller?
Question 2: Is the controller a joint controller?
The court suspended the case and referred the following questions (reformulated) to the ECJ before making a decision in this case:
QUESTION 1: Is the TC-string personal data (with or without a combination with an IP-address) with regard to the controller and/or with regard to companies that have access to the TC-string?
QUESTION 2: Is IAB a (joint) controller? And does it matter whether or not IAB has access to the personal data which is processed by companies that use the standards of IAB? And when IAB is indeed a (joint) controller, does this also entail responsibility for further processing by third parties regarding the preferences of internet users, such as targeted online advertising?
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.