APD/GBA (Belgium) - 21/2022: Difference between revisions

Revision as of 10:35, 16 February 2022

APD/GBA (Belgium) - 21/2022

Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 25 GDPR Article 30 GDPR Article 32 GDPR Article 35 GDPR Article 37 GDPR
Type:	Complaint
Outcome:	Upheld
Started:	13.10.2020
Decided:
Published:	02.02.2022
Fine:	250,000 EUR
Parties:	Johnny Ryan Pierre Dewitte Jeff Ausloos La Ligue des Droits de l'Homme Bits of Freedom IAB Europe Katarzyna Szymielewicz
National Case Number/Name:	21/2022
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	English
Original Source:	APD/GBA (in EN)
Initial Contributor:	Frederick Antonovics

The Belgian DPA fined the Interactive Adverting Bureau Europe €250,000 for violating the principles of lawfulness, fairness, and transparency (Articles 5(1)(a), 6 GDPR), and failing to comply with its transparency and information obligations (Articles 12, 13, 14 GDPR), to implement appropriate technical and organisational measures to ensure that individuals' personal data was secure, to keep records of processing activities, to carry out a DPIA and to designate a DPO.

English Summary

Facts

The IAB Europe's Transparency & Consent Framework ('TCF') set up by the Interactive Advertising Bureau Europe ('IAB Europe') facilitates the capture of website users' response to Consent Management Platforms ('CMPs'), namely whether they consented to the collection and sharing of their personal data, or objected to various types of processing based on the legitimate interests of ad tech vendors.

Users' responses are coded and stored in a “T[ransparency and] C[onsent] string”, which are shared with the organisations participating in the OpenRTB system (the most widely used protocol for “Real-Time Bidding”) so that they know to what the user has consented/objected. The CMP also places a cookie (euconsent-v2) on the user’s device. When combined, the TC string and the euconsent-v2 cookie can be linked to the IP address of the user, therefore making the author of the preferences identifiable. The TCF plays a pivotal role in the architecture of the OpenRTB system, as it is the expression of users’ preferences regarding potential vendors and various processing purposes, including the offering of tailor-made advertisement.

Since 2019, the Belgian DPA received a series of complaints about the Transparency & Consent Framework ('TCF'). The complaints related to (i) the conformity of the TCF with the principles of legality, appropriateness, transparency, purpose limitation, storage restriction and security, as well as to accountability, and (ii) the responsibility of IAB Europe and other actors involved. Four of the nine total "identical or very similar" complaints were filed directly with the Belgian DPA, the rest with other DPAs which passed them on through the IMI system. They were considered by the Litigation Chamber of the DPA as its administrative dispute resolution body (Article 32 Belgian Data Protection Act)

Holding

Language of the procedure

First, the DPA explained some background information on the language of the procedure. On 13 October 2020, the Litigation Chamber sent a letter to the parties informing them of the language of the procedure (French), and inviting them to present their written submissions. The parties contested this, which led to this judgment and this appeal of said judgment. Ultimately, whilst the DPA's correspondence with the parties was conducted in Dutch and the preliminary and final decisions of the Litigation Chamber were in Dutch, the parties were free to use the language of their choice.

RTB and TCF

Second, the DPA defined and described the Real-Time Bidding system as well as IAB Europe's Transparency & Consent Framework.

Regarding the former, the DPA defined and provided some schematic representations^[1] (of) the processing operations that underpin Real-Time Bidding. It then listed some of the risks associated with these, including: "profiling and automated decision-making; large-scale processing (including special categories of personal data); innovative use or application of new technological or organisational solutions; matching or merging of datasets; analysis or prediction of behaviour, location or movements of natural persons; invisible processing of personal data." It explained these operations carried out within the framework of RTB "can create a significant risk to the rights and freedoms of individual", particularly due to the large ecosystem of companies involved.

Regarding the latter, it principally highlighted the differences and connections between the OpenRTB protocol developed by IAB Tech Lab (based in New York) and the TCF developed by IAB Europe, namely that "the main players [publishers, adtech vendors, CMPs] within the TCF correspond to a large extent to the parties participating in the OpenRTB".

Procedure

After providing the information above, the Belgian DPA explained every step of the administrative procedure (from p.15-62). Whilst this is interesting to better understand the different arguments put forward by the parties (including some peculiar ones, such as that "IAB Europe does not participate in the TCF nor does it act as a data controller") this summary focuses on the reasoning of the DPA. It will therefore not consider these procedural elements.

Reasoning

Processing of personal data in the context of the Transparency and Consent Framework

The Belgian DPA started its explanation of the reasoning behind its decision with an assessment of whether personal data was processed by IAB Europe within the context of the Transparency and Consent Framework.

First, it restated that the concept of personal data and the notion of processing are to be interpreted broadly in light of both the GDPR and the CJEU's interpretation or European data protection law more generally. It cited the Breyer and Nowak cases to demonstrate that as long as information can be linked to an identified or identifiable natural person, it should be considered personal data.

The complaints argued that the TC String "is a unique character string which is also written into a cookie as a unique identifier and is then stored on a user's device", and that IAB Europe collected additional information about users, including special categories of personal data (Article 9 GDPR). The respondent argued that the TC String does not contain any personal data, that it does not constitute a unique identifier, and that a link between "the preferences conceived in the TC String and the user will be established only" in the context of the OpenRTB, which is not covered by the Transparency & Consent Framework. The DPA disagreed with the respondent's argument, holding that storing "the preferences of users in a TC String do constitute personal data, as these preferences relate to a singled out, identifiable natural person."

Second, the complaints argued that "the generation of the TC String corresponds to the automated creation of a unique string of characters associated with a specific user, through which their data exchange preferences are captured by the intervention of a CMP connected to the TCF" and "that the storage of a TC String in a specific euconsent-v2 cookie, on a storage system chosen by the CMP or associated with the consensu.org internet domain managed by IAB Europe" both constitute processing of user preferences. The DPA agreed, and held that "the Transparency and Consent Framework inherently entails the collection, processing, storage and subsequent sharing of users' preferences with other parties, whether or not in combination with additional personal data in the context of the OpenRTB", which amounts to processing of personal data per Article 4(2) GDPR.

Responsibility of IAB Europe for the processing operations within the Transparency and Consent Framework

Then, the Belgian DPA assessed whether IAB Europe can be held responsible for the processing operations within the Transparency and Consent Framework. IAB Europe argued it was neither a data controller nor jointly responsible for the processing of personal data collected by the participating organisations in the context of the TCF. The DPA disagreed because (i) the concept of a data controller must be interpreted broadly, and (ii) IAB Europe has a decisive influence on the purpose and means of the processing by imposing compulsory TCF parameters.

Indeed, it concluded that regardless of whether the defendant itself came into contact with the personal data, the participating parties (i.e. publishers and adtech vendors) would not be able to achieve the goals set by IAB Europe without the TCF. It therefore played a decisive role with regard to the collection, processing and dissemination of users' preferences, consents and objections. Further, it held that IAB Europe established "the purpose of the TC String, and in the broader sense of the processing of the TC String within the TCF as translated into the TCF Policies" and determined "the means of generating, storing and sharing the TC String by which the preferences, objections and consent of users are processed".

In particular, the DPA found IAB Europe to be a controller because it (i) defined how CMPs could collect the aforementioned data, (ii) developed the technical specifications of the API with which adtech vendors could access the preferences of the users, (iii) determined the storage location and method for both service-specific and globally scoped consent cookies, (iv) managed the lists of registered CMPs and adtech vendors, and (v) determined the way in which organisations participating in the TCF had to make these TC Strings available to it.

Joint controllership of publishers, CMPs and adtech vendors with regard to the means and purposes of the processing of personal data within the context of the TCF and of the OpenRTB

It continued its reasoning by assessing whether other data controllers implementing the TCF and relying on the OpenRTB protocol had "their own or shared responsibility for the personal data processing operations" they performed. It stated that the question "to be asked is whether the intended processing of personal data would be impossible without the participation of all parties, more specifically, whether the processing activities carried out by each party are inseparable and indivisible."

IAB Europe argued that the TCF and the OpenRTB system were completely independent from each other, as even without participating in the TCF, adtech vendors could freely process personal data within the context of the OpenRTB. The DPA disagreed, stating that it was "certain that the TCF was never intended to be a stand-alone, independent ecosystem." Thus, the DPA held that IAB Europe and the participating organisations were joint controllers because "the decisions translated by IAB Europe into the provisions of the TCF policies and technical specifications, on the one hand, and the means and purposes determined by the participating organisations in relation to the processing - whether or not in the context of OpenRTB - of users' personal data, on the other hand, [had to] be regarded as convergent decisions. IAB Europe provide[d] an ecosystem within which the consent, objections and preferences of users are collected and exchanged not for its own purposes or self-preservation, but to facilitate further processing by third parties (i.e. publishers and adtech vendors)."

Thus, the DPA held that IAB Europe and the participating CMPs, adtech vendors and publishers were joint controllers for the collection and subsequent dissemination of users' consent, objections and preferences, as well as for the related processing of their personal data. The responsibility of these organisations did not detract from IAB's own responsibility.

However, it specified that:

if CMPs apply TCF policies, IAB Europe is responsible for the essential means of processing and therefore jointly responsible;
if CMPs deviate from TCF policies, they are fully responsible per Article 28(10) GDPR
if CMPs follow publishers' instructions to decide which adtech vendors they share data with, publishers bear the main responsibility for this transfer - without prejudice to IAB Europe's responsibility

Breaches of the GDPR

Lawfulness and fairness of processing - Article 5(1)(a) and 6 GDPR

The DPA distinguished between two processing activities:

1. The registration of the consent signal, objections and users' preferences by means of the TC String

IAB Europe argued that because the TC String is not personal data, no basis for processing was required. The DPA disagreed, and held the processing should have been based on a lawful basis under Article 6 GDPR. Thus, the DPA assessed whether the processing could have been based on Articles 6(1)(a), (b) and (f) GDPR. It found that the first was de facto not applicable, the second prima facie not applicable, and that the company did not meet the third condition (the 'balancing test' between the interests of the controller and fundamental rights of the data subject) set out in C-13/16 / Rigas because no option whatsoever was offered to users to completely oppose the processing of their preferences in the context of the TCF, as the CMP will always generate a TC String before linking it to the user's unique User ID through a 'euconsent-v2' cookie placed on the data subject's end device - without informing them of this processing or their right to object to it. As such, the DPA held that IAB Europe's processing in the context of the TCF (of which it was the 'Managing Organisation') violated Article 6 GDPR by capturing the preferences of online users in a TC string without a legal basis.

2. Collection and dissemination of personal data in the context of the RTB

Then, the DPA first restated that the TCF aimed to capture users' consent or lack of objection to the legitimate interests of participating adtech vendors, two bases which relate to processing activities that take place under the RTB. It then nonetheless stated that Article 6 GDPR was violated because (i) the consent of the data subjects obtained through CMPs is not legally valid (ii) nor is the (pre)contractual necessity applicable, and (iii) that the legitimate interest does not meet the threefold test of the CJEU (as set out in C-13/16; C-708/18).

First, it held the consent of the data subjects obtained by the CMPs (via the TCF) is not valid in light of Article 7 GDPR. Indeed, the DPA found (amongst other things) that the proposed processing purposes were not sufficiently clearly described, and in some cases were even misleading. For example, the notion of 'measuring content performance' provided no insight into the scope of the processing, the nature of the personal data used, or how long the latter would be retained. Additionally, the user interface ('UI') failed to provide an overview of the categories of data collected and the identities of the data controllers to whom consent was given, making it impossible for data subjects to give sufficiently informed consent. As such, the DPA held that Article 6(1)(a) did not "constitute a valid legal basis for the processing and dissemination of personal data in the context of the OpenRTB, insofar as such consent was obtained in accordance with the TCF in its current format."

Second, it held that the legitimate interest of the participating organisations did not outweigh the protection of the fundamental rights and freedoms of the data subjects. To come to this conclusion, it assessed to "what extent the organisations participating both in the TCF and the OpenRTB (adtech vendors) [could] legitimately rely on Article 6(1)(f) GDPR for the predefined processing purposes that entail targeted advertising or profiling of the users, as opposed to non-marketing related purposes such as audience measurement and performance measurement." It first restated that an assessment of the necessary safeguards to prevent a disproportionate impact on data subjects needs to be performed jointly by all controllers involved in a processing activity and that both positive and negative consequences need to be considered when conducting this assessment. Then, the DPA in turn considered the:

Purpose test. It determined that the condition for specific lawful processing was not met, as it was not easy for users to assess to what extent the collection, dissemination and processing of their personal data were necessary for the intended purposes. Notably, the DPA nonetheless did not express an opinion on whether an economic interest can be regarded as a legitimate interest.
Necessity test. It determined the condition of necessity of processing was not met due to absence of measures that adequately demonstrated that no inappropriate personal data were being disseminated.
Balancing test. It determined that the interests pursued by the adtech vendors did not outweigh the fundamental freedoms and rights of the data subjects, and that "the legitimate interest of participating organizations [could not] be deemed an adequate legal ground for the processing activities occurring under the OpenRTB, based on users’ preferences and choices captured under the TCF."

As such, the DPA held that the processing of personal data under the OpenRTB on the basis of preferences captured in accordance with the current version of the TCF was incompatible with the GDPR, due to an inherent breach of the principles of lawfulness and fairness.

Duty of transparency towards data subjects - Article 12, 13 and 14 GDPR

The DPA then considered the complainants' claim that the OpenRTB ecosystem is so extensive that it is impossible for data subjects to give an informed consent to the processing of their personal data, or to object in an informed manner to the processing of their personal data on the basis of a legitimate interest. The defendants argued the TCF offers a solution to collect valid consent from users.

The DPA upheld the complainant's claim, and held that IAB Europe did not meet its transparency requirements under the GDPR because the manner in which information was provided under the TCF to data subjects was too generic, which is not compatible with the requirement that consent must be specific and informed in order to be valid. Further, the large number of adtech vendors that could receive the personal data of users was found to also not be compatible with the condition of a sufficiently informed consent, nor with the broader transparency duty set out in the GDPR.

As such, the DPA found the TCF did not comply with the obligations arising from the transparency principle, notably Articles 12, 13 and 14 GDPR.

Accountability (Article 24 GDPR), data protection by design and by default (Article 25 GDPR), integrity and confidentiality (Article 5(1)(f) GDPR), as well as security of processing (Article 32 GDPR)

1. Principle of accountability and data protection by design and by default

The DPA first simply restated the data controllers' obligations under Articles 24 and 25 GDPR, without explaining at this point whether IAB Europe complied with them.

2. The outline of the security obligation

Then, the DPA noted "a lack of respect for the obligation to ensure the security of processing on the part of the defendant, which is part of the principle of accountability." It highlighted the importance of organisations meeting this obligation, and the fact that "[t]he absence of technical and organisational measures aiming to ensure the integrity of the TC String" was a serious offence given the very large number of TC Strings generated each day within the TCF.

Indeed, it explained this finding by describing the fact that IAB Europe offers the TCF to make OpenRTB compliant with the GDPR, meaning that it should (as the managing organisation) take "organisational and technical measures to ensure that participants at least comply with the TCF policies." However, it was theoretically possible for CMPs to falsify or modify consent signals that are meant to be validated by IAB Europe to generate a 'euconsent-v2' cookie and thus reproduce a "false consent" from users for all purposes and all adtech vendors - even if this would constitute a violation of the 'TCF Vendor Compliance Programme'. Additionally, the sanction regime provided for by this programme was found to be insufficiently dissuasive, as vendors could be allowed up to 4 breaches before being forced into compliance.

As such, the DPA found that because the company did not systematically monitor compliance with the TCF and the significant impact the aforementioned violations could have, it failed to comply with its security obligations and "must take not only organisational but also technically effective measures to ensure and demonstrate the integrity of the preferential signal transmitted by CMPs to adtech vendors."

On international data transfers

Finally, the DPA interestingly held that IAB Europe "should facilitate the due diligence incumbent on the publishers and CMPs, e.g. by requiring adtech vendors to indicate clearly whether they are located outside the EEA or whether they intend to transfer personal data outside the EEA through their data processors." It noted that "contrary to its obligation under the principles of accountability and of data protection by design and by default, IAB Europe did not foresee any mechanism to ensure that participating publishers and CMPs have put in place adequate mechanisms for potential international transfers of the TC String, as foreseen under Articles to 44 to 49 GDPR, both at the time of its creation and when transmitting the TC String to participating adtech vendors. The preamble of the TCF Policies merely indicates that the TCF 'is not 105 intended nor has it been designed to facilitate […] more strictly regulated processing activities, such as transferring personal data outside of the EU'." As such, the DPA held this failed to meet the requirements of Articles 24 and 25 GDPR.

Additional alleged breaches of the GDPR

In this section, the Belgian DPA in turn (quickly) assessed a number of additional potential breaches of the GDPR.

Purpose limitation and data minimisation - Article 5(1)(b) and 5(1)(c) GDPR

The DPA held that because the complainants explicitly indicated that the scope of their allegations was limited to the processing operations within the TCF, and given the limited amount of data about a user that are stored in a TC String before being saved through a 'euconsent-v2' cookie, there was no violation of the principles of purpose limitation and data minimisation in the context of this framework.

Storage limitation - Article 5(1)(e) GDPR

The DPA held that there was insufficient evidence that the TC String and the associated storage of users' personal data were stored for an unauthorised period of time, meaning that no violation of Article 5(1)(e) GDPR could be established.

Integrity and confidentiality - Article 5(1)(f) GDPR

As explained above, the DPA held that the current version of the TCF offered insufficient safeguards to prevent the values included in a TC String from being modified in an unauthorised manner, with the result that the personal data of a data subject bundled in a bid request could be processed for the wrong purposes, in breach of the integrity principle, and/or might end up with the wrong adtech vendors or the ones rejected by the user, in breach of the confidentiality principle.

As such, it held that the current version of the TCF violates Article 5(1)(f) GDPR.

Processing of special categories of personal data - Article 9 GDPR

The DPA held that although its inspectors reported a lack of appropriate rules for the processing of special categories of personal data under the TCF, this observation was not be supported by any technical analysis showing that special categories of personal data were actually processed within the TCF. As such, IAB Europe did not violate Article 9 GDPR.

Exercise of data subject rights - Articles 15–22 GDPR

The DPA held that because the complainants limited the scope of their claims to the processing of their personal data by IAB Europe within the TCF, and the inspectors could not confirm that it was impossible for data subjects to exercise their DSARs, it was "not in a position to establish a violation of the Articles 15-22 GDPR."

Records of processing activities - Article 30 GDPR

The DPA first restated that its inspectors found that IAB Europe does not keep records of its processing activities, although it provided a summary of its processing activities over the course of the DPA's investigation. It then noted this summary contained no activity relating to the TCF (with the exception of member management, including administration of the TCF), but held the records should have at least included "access to users' consent signals, objections and preferences." Further, the company should have included its intention to monitor the compliance of the various CMPs and other adtech vendors in its records of processing activities.

As such, the DPA held that the company violated Article 30(1) GDPR, as it should have kept more detailed records of processing activities.

Data protection impact assessment - Article 35 GDPR

The DPA held that IAB Europe violated Article 35 GDPR by not carrying out a data protection impact assessment, which it should have according to Decision No. 01/2019 of the Belgian DPA in light of the large number of data subjects who come into contact with websites and applications implementing the TCF, as well as the growing number of organisations participating in the TCF, on the one hand, and the impact of the TCF on the large-scale processing of personal data in the context of RTB.

Designation of a Data Protection Officer - Article 37 GDPR

The DPA held that because the TCF must be regarded as a regular and systematic observation of identifiable users IAB Europe should have appointed a DPO, and that the failure to do so amounted to a violation of Article 37 GDPR.

Sanctions

In light of the above, the Belgian DPA ordered IAB Europe:

To render the TCF compliant with the principles of lawfulness, fairness and transparency (Articles 5(1)(a) and 6 GDPR) by establishing a legal basis for the processing as well as the sharing of user preferences in the context of the TCF, in the form of a TC String and euconsent-v2 cookie placed on the users' devices for this purpose. It added that "any personal data collected so far by means of a TC String in the context of the globally scoped consents, which is no longer supported by IAB Europe, shall be deleted without undue delay by the defendant" and that it should prohibit the use legitimate interest as a legal ground for processing by the organisations participating in TCF in its current format.
To render the TCF compliant with the transparency and information obligation (Articles 12, 13, and 14 of the GDPR), by requiring TCF-registered CMPs to take a harmonised and GDPR-compliant approach regarding the information to be provided to users through their interface. Namely, any information provided about the processing must be precise, concise and understandable in order to avoid users being surprised by subsequent processing of their personal data by parties other than the publishers or IAB Europe.
To ensure compliance of the TCF with the principles of integrity and security, as well as data protection by design and by default (under Articles 5(1)(f) and 32 GDPR, and 25 GDPR) by creating effective technical and organisational monitoring measures to facilitate the exercise of data subject rights and to fix the possibility that signals are falsified; implementing a strict vetting process for organisations participating to the TCF; and prohibiting the "activati[on] of a default consent"
To keep records of processing activities carried out in the framework of the TCF, and in particular relating to the 119 processing of users' preferences and consent in the form of a TC String and the placement of a cookie euconsent-v2 on their devices.
To carry out a data protection impact assessment, covering both the processing activities under the TCF and the impact of these activities on subsequent processing under the OpenRTB.
To designate a Data Protection Officer (DPO), responsible, inter alia, for ensuring the compliance of personal data processing activities in the context of the TCF, in accordance with Articles 37 to 39 of the GDPR.

The DPA set a deadline of 6 months (from the day an action plan is validated by the DPA) for these measures to be implemented.

Finally, it issued a fine of €250,000 against IAB Europe.

Comment

This decision has widespread implications for the future of adtech, and clearly signals that the processing activities underpinning Real-Time-Bidding and adtech more broadly need to be based on real, meaningful consent rather than nonsensical 'accept all' buttons. The outcome of the appeal of this decision that is certain to appear before the Belgian Market Court will be interesting to see!

Further Resources

This decision has predictably attracted much media attention from all sides of the adtech debate:

Additionally, this decision, the legislation of adtech and the TCF more broadly have been commented on by academia for years (from most to least recent):

Nouwens, Santos, Veale, 'Impossible Asks: Can the Transparency and Consent Framework Ever Authorise Real-Time Bidding After the Belgian DPA Decision?' in Technology and Regulation (09.02.2022) https://techreg.org/article/view/11594
Borgesius, Veale, 'Adtech and Real-Time Bidding under European Data Protection Law' in German Law Journal (31.07.2021) - https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3896855. This paper was cited by the Belgian DPA in its decision.
Bielova, Matte, Santos, 'Purposes in IAB Europe’s TCF: which legal basis and how are they used by advertisers?' in Annual Privacy Forum (2020) - https://hal.inria.fr/hal-02566891/document

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

LitigationChamber

Decision on themerits21/2022 of 2February2022

Unofficial translation from Dutch

Case number: DOS-2019-01377

Concerning: Complaint relating to Transparency & Consent Framework

The Litigation Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans,

chairman, and Mr Yves Poullet and Mr Frank De Smet;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27

April 2016 on the protection of natural persons with regard to the processing of personal data and

on the free movement of such data and repealing Directive 95/46/EC (General Data Protection

Regulation), hereinafter referred to as the GDPR;

Having regard to the Act of 3 December 2017 establishing the Data Protection Authority,

hereinafter referred to as DPA Act;

Having regard to the Internal Rules of Procedure, as approved by the House of Representatives on

20 December 2018 and published in the Official Gazette on 15 January 2019;

Having regard to the documents in the file;

hastakenthefollowing decisionon:

.
The complainants: Mr Johnny Ryan; Mr Pierre Dewitte and Mr Jef Ausloos, as well as Mrs
Katarzyna Szymielewicz, who designated the NGO Panoptykon Foundation to .

act on her behalf, and the NGOs Bits of Freedom and La Ligue des Droits de .

l'Homme, all represented by Mr Frederic Debusseré and Mr Ruben Roex, and

Mr Bruno Bidon, hereinafter 'the complainants';

The defendant: IAB Europe, having its registered office at [...] 1040 Brussels, with company

number [...], represented by Mr Frank Judo and Mr Kristof Van Quathem,

hereinafter 'the defendant'.

1,Table of contents

Case number: DOS-2019-01377.......................................................................................................1

A. Facts and procedure...........................................................................................................................4

A.1. - Complaints against Interactive Advertising Bureau Europe..............................................................4

A.2. - The language of the procedure: Interim Decision 01/2021 as amended by the Interim

Decision 26/2021 of 23 February 2021 .........................................................................................................................6

A.3. - RTB and TCF........................................................................................................................................................................6

A.3.1. - Definitions and operation of the Real-Time Biddingsystem.........................................................................6

A.3.2. - IABEurope's Transparency& ConsentFramework........................................................................................12

A.4. - Reports of the Inspection Service......................................................................................................................15

A.4.1-IABEuropeactsasdatacontrollerinrespectoftheTransparencyandConsentFrameworkand

the personal dataprocessingoperations relating thereto...........................................................................................15

A.4.2. - Identified infringements ofthe GDPR.....................................................................................................................15

A.4.3. - Additional considerations that the Inspection Service considers relevant to the assessment

ofthe gravity of the facts.................................................................................................................................................................19

A.5. - Summary of the defendant's response dd. 11 February 2021.........................................................19

A.5.1.-IABEuropeisnotadatacontrollerwithregardtotheprocessingofpersonaldatainconnection

with the TCF.............................................................................................................................................................................................19

A.5.2. - The TCF complies with the GDPR...............................................................................................................................22

A.5.3. - IABEurope is notsubjectto the obligation to keep aregister ofprocessingoperations.........23

A.5.4. - IABEurope is notrequired to appointadataprotection officer..............................................................24

A.5.5. - IABEurope did cooperate with the Inspection Service.................................................................................24

A.5.6. - There are no aggravatingcircumstances to the detrimentofIABEurope .......................................24

A.6. - Summary of the complainants' reply submissions dd. 18 February 2021..............................25

A.6.1. – IABEurope is datacontroller for the TCF .............................................................................................................25

A.6.2. - The processingoperations carried out in the TCF violate the GDPRat various levels ............. 26

A.7. - Summary of the defendant's rejoinder dd. 25 March 2021..............................................................34

A.7.1. - Organisations that process personal data within the RTB system are responsible for

complyingwith the GDPRand the ePrivacy Directive...................................................................................................34

A.7.2.-IABEurope cannotbeheldresponsiblefortheallegedillegal practices ofRTBparticipants, as

the TCF is completely separate from RTB............................................................................................................................35

A.8. - Hearing and reopening of debates ....................................................................................................................36

A.9. - Procedural objections raised by the defendant ........................................................................................41

2, A.9.1. - Infringements of procedural rules applicable to the inspection report and of fundamental
rights and freedoms ofIAB Europe............................................................................................................................................41

A.9.2. - Infringements of the fundamental rights and freedoms of IAB Europe with regard to the
generalnature of the procedure for the DPA.......................................................................................................................47

A.10. - Sanction form, European cooperation procedure and publication of the decision........58

B. Reasoning...............................................................................................................................................62

B.1.–ProcessingofpersonaldatainthecontextoftheTransparencyandConsentFramework

.................................................................................................................................................................................................................62

B.1.1. – Presence ofpersonal data within the TCF............................................................................................................ 62

B.1.2. - Processingofpersonal data within the TCF ........................................................................................................ 67

B.2.- ResponsibilityofIABEurope fortheprocessingoperations withinthe Transparencyand

Consent Framework.................................................................................................................................................................68

B.2.1. - Broad interpretation of the concept of data controller by the Court of Justice and the EDPB

.........................................................................................................................................................................................................................69

B.2.2. - Determining the purposes ofthe processingofpersonal datawithin the TCF...............................71

B.2.3. - Determiningthe means for processingpersonal datawithin aTCF ......................................................74

B.3. - Joint controllership of publishers, CMPs and adtech vendors with regard to the means
and purposes of the processing of personal data within the context of the TCF and of the

OpenRTB ..........................................................................................................................................................................................79

B.3.1. - Jointprocessingresponsibility.....................................................................................................................................80

B.4. On the alleged breaches of the General Data Protection Regulation ..........................................87

B.4.1 - Lawfulness and fairness ofprocessing(Art. 5.1.aand 6GDPR)................................................................ 87

B.4.2. - Dutyof transparencytowards data subjects (Art. 12, 13 and 14 GDPR)............................................99

B.4.3. - Accountability (art. 24 GDPR), data protection by design and by default (Art. 25 GDPR),

integrity and confidentiality (Art. 5.1.f GDPR), as well as security ofprocessing(Art. 32GDPR)......101

B.4.4. - Additional alleged breaches ofthe GDPR...........................................................................................................105

C. Sanctions................................................................................................................................................111

C.1. - Breaches..............................................................................................................................................................................115

C.2. - Sanctions............................................................................................................................................................................118

3,A. Facts andprocedure

A.1. - Complaints against Interactive Advertising Bureau Europe

1. In the course of 2019, a series of complaints were filed against Interactive Advertising

Bureau Europe (hereinafter IAB Europe), for breaching various provisions of the GDPR in

relation to large-scale processing of personal data. The complaints related, in particular, to

the principles of legality, appropriateness, transparency, purpose limitation, storage

restriction and security, as well as to accountability.

2. Nine identical or very similar complaints were filed, four directly with the Data Protection

Authority (hereinafter 'DPA') and five via the IMI system with supervisory authorities in

other EU countries.

3. The Inspection Service also carried out investigations on its own initiative, pursuant to

Article 63(6) DPA Act. Since the complaints related to the same subject matter and were

directed against the same party (IAB Europe), on the basis of the principles of

proportionality and necessity in the conduct of investigations (Article 64 DPA Act), the

Inspection Service merged the above files into one case under file number DOS-2019-

01377.

4. The complainants have agreed to this merger, as well as to the request by the Litigation

Chamber to merge their submission and submit them as a joint package, in the interests of

economy and efficient proceedings.

5. In this international case, four complainants, including the NGO Ligue des Droits Humains,

are domiciled in Belgium, one in Ireland, four in different EU states, represented by the

Polish-based NGO Panoptykon, and one complainant is represented by the Dutch-based

NGO Bits of Freedom.

6. PursuanttoArticle4(1)DPAAct,theDataProtectionAuthorityisresponsibleformonitoring

thedataprotectionprinciplescontainedintheGDPR andinotherlawscontainingprovisions

on the protection of the processing of personal data.

7. Pursuant to Article 32 DPA Act, the Litigation Chamber is the administrative dispute

resolution body of the DPA .1

8. Pursuant to Articles 51 et seq. GDPR and Article 4(1) of the DPA Act, it is the task of the

Litigation Chamber, as the administrative dispute resolution body of the DPA, to exercise

effective control over the application of the GDPR and to protect the fundamental rights

1The administrative nature of the disputes before the Litigation Chamber has been confirmed by the Market Court. See in
particular the judgment of 12 June 2019, published on the website of the DPA, as well as decision 17/2020 of the Litigation
Chamber.

4, and freedoms of natural persons with regard to the processing of their personal data and to

facilitate the free flow of personal data within the European Union. These tasks are further

explained in the Strategic Plan and the management plans of the DPA, drawn up pursuant

to Article 17(2) DPA Act.

9. Moreover, as regards the one-stop-shop mechanism, Article 56 GDPR states: "Without

prejudice to Article 55, the supervisory authority of the main establishment or of the single

establishment of the controller or processor shall be competent to act as lead supervisory

authority for the cross-border processing carried out by that controller or processor in

accordance with the procedure provided in Article 60."

10. Article 4.23 GDPR clarifies the notion of cross-border processing in the following terms:

"processing of personal data which takes place in the context of the activities of

establishments in more than one Member State of a controller or processor in the Union

where the controller or processor is established in more than one Member State; or (b)

processing of personal data which takes place in the context of the activities of a single

establishment of a controller or processor in the Union but which substantially affects or is

likely to substantially affect data subjects in more than one Member State;"

11. The defendant has its only registered office in Belgium, but its activities have a significant

impact on stakeholders in several Member States, including the plaintiffs in Ireland, Poland

and the Netherlands, as well as in Belgium. The Litigation Chamber draws its jurisdiction

from a combined reading of Articles 56 and 4(23)(b) of the GDPR. The DPA was seized by

the Polish, Dutch and Irish data protection authorities following a complaint made to them

by the complainants in accordance with Article 77.1 of the GDPR. It declares that it is the

lead supervisory authority (Article 60 of the GDPR).

12. The following supervisors have indicated their willingness to act as concerned supervisory

authorities (CSA): the Netherlands, Latvia, Italy, Sweden, Slovenia, Norway, Hungary,

Poland, Portugal, Denmark, France, Finland, Greece, Spain, Luxemburg, Czech Republic,

Austria, Croatia, Cyprus, and Germany (Berlin, Rhineland-Palatinate, North Rhine-

Westphalia, Saarland, Lower Saxony, Brandenburg, Mecklenburg-Western Pomerania,

Bavaria).

13. In the course of the proceedings, additional complaints with a very similar focus to the ones

on which the present case is based were sent to the Belgian DPA, by the Maltese,

Romanian, Croatian, Greek, Portuguese, Swedish, Cypriot and Italian DPAs. These

complaints are not part of the present proceedings.

5,A.2. - The language of the procedure: Interim Decision 01/2021 as amended by the Interim

Decision 26/2021 of 23 February 2021

14. On 13 October 2020, the Litigation Chamber sent a letter to the parties, in accordance with

Article 98 DPA Act, informing the parties of the language of the procedure (French), and

inviting them to present their written submissions.

15. In response to a request by the complainants dd. 27 November 2020, and in view of the

international natureofthis case, the LitigationChamber issued InterimDecision01/2021 on

8 January 2021 regarding the language of the proceedings. Following an appeal by the

complainants to the Market Court, this Interim Decision was amended on 23 February 2021

(Interim Decision 26/2021).

16. Pursuantto thelatter InterimDecision, whichis based onan agreementwiththeparties, the

DPA's correspondence with the parties is conducted in Dutch and the preliminary and final

decisions of the Litigation Chamber are in Dutch. However, the Litigation Chamber shall

provide the parties with a French and an English translation of the final decision.

17. Moreover, the parties are free to use the language of their choice (Dutch, French or English)

in the proceedings before the Litigation Chamber, either in writing or orally. In the case of

IAB Europe, it is Frenchor English. TheDPAis notresponsiblefor translations ofprocedural

documents submitted by one party on behalf of the other.

18. Finally, the Litigation Chamber points out that it sometimes uses English language

terminology in this decision, in cases where translation into Dutch would reduce the

comprehensibility of the decision.

A.3. - RTB and TCF

19. In essence, this case concerns, on the one hand, the conformity of the Transparency &

Consent Framework (hereinafter, ‘TCF’) with the GDPR and, more specifically, the

responsibility of IAB Europe, the defendant in these proceedings, and other various actors

involved. In addition, it also pertains to the impact of the TCF on the so-called Real-Time

Bidding (RTB). Given the complexity of the latter, it is introduced here.

A.3.1. - Definitions and operation of the Real-Time Bidding system

20. In contrast to "traditional" advertising, where the parties involved manually and

contractually determine the modalities of information exchange, online advertising is

6, usually done primarily automatically and behind the scenes, through "Programmatic

advertising" methods of which real-time bidding (RTB) is the leading system . 2

21. Real-time bidding is defined in legal literature as "a network of partners that enables big

data applications within the organisational field of marketing to improve sales of pre-

determined advertising space through real-time data-driven marketing and personalised

(behavioural) advertising" .3

22. Real-time bidding refers to the use of an instantaneous automated online auction for the

sale and purchase of online advertising space. Specifically, it means that when an individual

accesses a website or application that contains an advertising space, behind the scenes

through an automated online auction system and algorithms, technology companies

representing thousands of advertisers can instantly (in real time) bid for that advertising

space to display targeted advertising specifically tailored to that individual's profile.

23. Real-time bidding works behind the scenes on most commercial websites and mobile apps.

Thousandsofcompanies areinvolved thatreceiveinformationaboutthepersonvisitingthe

website. In this way, billions of advertisements are auctioned every day.

24. In a real-time bidding system, several parties are involved : 4

A. The companies or organisations that have created and manage the relevant real-time

bidding system, including by setting its policies/governance and technical protocols.

The main ones are:

a. the "OpenRTB" system and the associated "Advertising Common Object Model"

(AdCOM), created by IAB Technology Laboratory, Inc. (abbreviated as "IAB Tech

Lab") and Interactive Advertising Bureau, Inc. (abbreviated as "IAB"), both based in

New York;

b. the "Authorised Buyers" system created by Google.

The OpenRTB is a standard protocol that aims to simplify the interconnection between ad

space providers, publishers (ad exchanges, Sell-Side Platforms, or networks working with

publishers), and competing buyers of ad space (bidders, Demand-Side Platforms, or

2
M. VEALE, R. UIDERVEENB ORGESIUS, "Adtech and Real-Time Bidding under European Data Protection Law", German Law
Journal, 31 July 2021, p. 8-10.
R. VAN EIJK, "Web Privacy Measurement in Real-Time Bidding Systems - A Graph-Based Approach to RTB system

classification",2019,p.140:"anetworkofpartnersenablingbigdataapplicationswithintheorganizationalfieldofmarketing
to improve sales by real-time data-driven marketing and personalized (behavioural) advertising", available at
https://ssrn.com/abstract=3319284; M.VEALE,FR.ZUIDERVEENBORGESIUS,ibidem, p. 3.
4Ibidem.

7, networks working with advertisers). The overall objective of OpenRTB is to establish a

5
common language for communication between buyers and vendors of advertising space .

B. On the "supply side" there are:

a. Companies that own a website or app with advertising space. In RTB jargon, these

companies are called "publishers".

b. Companies operating an automated online platform through which publishers can

optimise the value and volume of their ad space sales by signalling the availability

of their ad space to be displayed to a data subject and requesting that one or more

bid requests be made for that ad space. In RTB jargon, these companies are called

"Sell-Side Platforms" ("SSPs"). SSPs provide the available inventory of their

publishers to the various ad exchanges in the market and possibly to ad networks

and other DSPs. The most advanced SSPs work in real time. As soon as an ad space

is called up when a page is viewed on a publisher's site, the SSP searches for the

best offer on that type of ad space according to the detected visitor profile, and

automatically delivers the corresponding ad . 6

C. On the "demand side" there are:

a. Companies that want to display advertising for their products or services in a

targeted manner to visitors to websites and users of apps (the advertisers).

b. Companies operating an online platform that enables advertisers and media

agencies to carry out and optimise their purchases of advertising space, and in
7
which advertisers' ads are offered . In RTB jargon, these companies are called

"Demand-Side Platforms" ("DSPs").

D. Acting as intermediaries between them are companies, so-called "Ad Exchanges",

which bring the supply and demand side organisations together and allow them to

communicate with each other automatically so that the DSPs can bid on bid requests

from SSPs.

E. In addition, there are so-called "Data Management Platforms" ("DMPs") that extract

huge amounts and types of personal data from multiple sources (such as from devices,

cookies,mobileidentifiers,pixels,onlinesurfingbehaviour analysis,socialmedia,offline

data, butalso from third parties suchas databrokers, etc.), thencentralisethis data, and

finally analyse and categorise it by means of algorithms and artificial intelligence. By

5Technical Analysis Report of theInspection Service, 6 January 2020 (Exhibit 53), p. 11.
6Technical Analysis Report of theInspection Service, 4 June 2019(Exhibit 24), p. 5-6.

7Technical Analysis Report of theInspection Service, 4 June 2019(Exhibit 24), p. 5.

8, using a DMP, an advertiser can enrich and combine data that it himself has about

(potential)customerswithdatathatitcangetfromacentralDMP.Thus,oneofthemain

functions of a DMP is to create detailed consumer profiles through data enrichment in

order to optimise the targeting and effectiveness of marketing and advertising

campaigns and to provide personalised offers on websites and in applications . 8

25. After an advertiser has drawn up detailed consumer profiles via a DMP, it bids via its DSP

for bid requests from publishers/SSPs offering advertising space that matches those

consumer profiles.

26. In RTB jargon, SSPs, DSPs, Ad Exchanges, advertisers and DMPs are collectively referred

to as "Vendors".

9
27. Schematically this can be presented as follows :

28. This can also be represented as follows : 10

8Technical Analysis Report of theInspection Service, 6 January 2020 (Exhibit 53), p. 7.
9
M. VEALE, R.ZUIDERVEEN BORGESIUS, "Adtech and Real-Time Bidding under European Data Protection Law", German Law
Journal, 31 July 2021, p. 9.
10Technical Analysis Report of theInspection Service, 4 June 2019(Exhibit 24), p. 6.

9, 29. The content of a bid request, which contains data about online users, their device and the

websites visited, is captured by the OpenRTB system or the Authorised Buyers system.

Generally, the following categories of personal data can be communicated in a bid request
11
with advertisers :

▪ URL of the visited site

▪ Category or subject of the site

▪ Operating system of the device

▪ Browser software and version

▪ Manufacturer and model of the device

▪ Mobile operator

▪ Screen dimensions

▪ Unique user identification set by vendor and/or buyer.

▪ Unique person identifier from the Ad Exchange, often derived from the Ad Exchange's

cookie.
▪ The user identification of a DSP, often derived from the Ad Exchange's cookie that is

synchronised with a cookie from the DSP's domain.

▪ Year of birth

▪ Gender

▪ Interests

▪ Metadata reporting on consent given

▪ Geography

▪ Longitude and latitude

▪ Post code

30. As a result, it is beyond doubt that the GDPR applies ratione materiae to the RTB system, of

which the OpenRTB protocol and, to some extent, the Transparency & Consent Framework

(TCF) discussed below are essential components, as RTB operations by means of bid

requests inherently entail the processing of personal data.

31. The different steps and interactions between the SSPs, DSPs and DMPs that take place in
12
the RTB system can be summarised as follows :

11Ibidem, p. 10.
12
R. VAN EIJK, "Web Privacy Measurement in Real-Time Bidding Systems- A Graph-Based Approach to RTB system
classification", 2019, p. 150-151,availableat https://ssrn.com/abstract=3319284.

10, i. An end user requests a web page;

ii. The publisher's ad server on the web page selects an SSP;

iii. The SSP then selects an Ad exchange;

iv. The Ad Exchange sends bid requests to hundreds of network partners and offers

them the opportunity to generate a bid response;

v. The Ad Exchange allows privileged DMPs and/or DSPs to synchronise http cookies;

vi. The Ad exchange places the winning bid;

vii. The DSP serves the advertiser's ad;

viii. The ad is loaded from a CDN (Content Delivery Network, or network provider);

ix. The advertiser's server loads a Javascript for verification;

32. Real-time bidding poses a number of risks that stem from the nature of the ecosystem and

the way personal data is processed within it. These risks include : 13

▪ profiling and automated decision-making;

▪ large-scale processing (including special categories of personal data);

▪ innovative use or application of new technological or organisational solutions;

▪ matching or merging of datasets;

▪ analysis or prediction of behaviour, location or movements of natural persons;

▪ invisible processing of personal data.

13 Information Commissioner's Office, "Update report into adtech and real time bidding", 20 June 2019, p. 9 -
https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl191220.pdf

11, 33. Inaddition,alarge number oforganisations —suchas datacontrollers,jointdatacontrollers,

processors or other data subjects — are part of the ecosystem. This has a potentially

significant impact on data protection. Moreover, most data subjects have a limited

understanding of how the ecosystem processes their personal data.

34. As aresult, theGDPR applies to theprocessing operations carried out withinthe framework

of RTB, which are of such a nature that they can create a significant risk to the rights and

freedoms of individuals.

A.3.2. - IAB Europe's Transparency & Consent Framework

35. IAB Tech Lab has developed the OpenRTB protocol, which together with Google's

AdBuyers protocol, is the most widely used RTB protocol worldwide. IAB Tech Lab, based

in New York in the United States of America, acts as a provider of the OpenRTB standard

and should be distinguished from IAB Europe, which developed the Transparency and

Consent Framework (TCF).

36. IAB Europe is a federation representing the digital advertisement and marketing industry

on the European level. It comprises corporate members as well as national associations,

with their own corporate members. Indirectly, IAB Europe represents approximately 5.000

companies, including both large corporations and national members . 14

37. According to IAB Europe, the defendant in these proceedings, the TCF provides

accountability and transparency to the OpenRTB. The TCF constitutes a separate set of

policies, technical specifications,terms andconditions, created, managed and administered

by IAB Europe, and, according to the defendant, should be capable of informing users of the

legitimate interests pursued by advertisers, as well as obtaining the valid consent of those

users with regard to the processing of their personal data in a real-time bidding system

(such as OpenRTB).

38. Although the OpenRTB should be distinguished from the TCF, the two systems are

connected. After all, IAB Europe claims that the TCF provides an operational framework in

which the data processing operations that take place on the basis of the OpenRTB protocol

can be brought in line with the GDPR (and the ePrivacy Directive).

39. In relation to the TCF, IAB Europe states the following:

“In its current form, the TCF is a cross-industry best practice standard that facilitates the

digital advertising industry’s compliance with certain EU privacy and data protection rules

andseekstobringimprovedtransparencyandcontroltoindividualsovertheirpersonaldata.

Specifically, it is a “framework” within which businesses operate independently and which

14As indicated by the CEO of the defendant during the hearing before the Litigation Chamber, on 11 June 2021.

12, helpsthemsatisfytherequirementtohaveaGDPRlegalbasisforanyprocessingofpersonal

data and the requirement for user consent for the storing and accessing of information on a

user device under the ePrivacy Directive.” 15

40. Moreover, the main players within the TCF correspond to a large extent to the parties

participating in the OpenRTB (with the exception of the Consent Management Platforms,

i.e. ‘CMPs’):

i. Publishers— Parties who make advertising space available on their website or in

their application and who are in direct contact with users whose personal data are

collected and processed. A publisher may provide a CMP (see below) on its website

or in its app to enable it to seek and manage the consent of visitors/users to the

processing oftheir personal dataand to facilitatethe operationofTCF .Publishers16

decide which adtech vendors may collect data through their website and process

their users' personal data (and/or access their devices) and for what purposes . 17

ii. Adtech vendors — Companies that receive personal data from publishers in order

to fill advertising spaces on publisher websites or in publisher apps, such as

advertisers, SSPs, DSPs, Ad Exchanges, and DMPs.

iii. Consent Management Platforms— Specifically for TCF, there are also companies

that offer so-called "Consent Management Platforms" (CMPs). Specifically, a CMP

takes the form of a pop-up that appears during the first connection to a website to

collect the Internet user's consent to the placement of cookies and other

identifying information . 18

41. An essential part of the intervention of a CMP is the generation of a character string

consisting of a combination of letters, numbers and other characters. This string is called

the"TCString"by IABEurope,whichstands forthe"TransparencyandConsentString".The

TC String is meant to capture in a structured and automated way the preferences of a user

when he visits a website or app of a publisher that has integrated the CMP. This concerns in

particular the capturing of consent (or not) to the processing of personal data for marketing

and other purposes, whether or not to share personal data with third parties (adtech

vendors) and the exercise or not of the right to object.

42. Vendors decipher the TC String to determine whether they have the necessary legal basis

to process a user's personal data for the specified purposes. Thanks to its concise data

1Conclusions of the defendant’s reply dated 25 March 2021, para.32.

16 Information Commissioner's Office, "Update report into adtech and real time bidding", 20 June 2019, p. 11-12,
https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl191220.pdf.
1Conclusions of the defendant's reply dated. 25 March 2021, para.36.
18
Technical Analysis Report of theInspection Service, 6 January 2020 (Exhibit 53), p. 59.

13, format, the CMP can store and retrieve a user's preferred data at any time and pass this
19
information on to adtech vendors who need it .

20
43. This can be represented schematically as follows :

i. An Internet user browses the website of a publisher, for example a news website.

ii. The publisher ensures that a CMP is activated on its website or in its app when the

user arrives.

iii. TheCMPchecks whether aTC String alreadyexists for this useror not.Ifa"globally

stored" TC String 21is chosen, the CMP will contact the IAB Europe-managed

consensu.org internet domain to verify from there whether there is already a so-

called "consensu" cookie on the user's device. In particular, this relates to the

euconsent-v2 cookie.

iv. If the third step shows that the TC String does not yet exist or is not up to date, in a

fourth step the CMP will show the user a user interface where he can consent to

the collection and sharing of his personal data.

v. The Internet user makes a choice in the user interface.

vi. The CMP generates the TC String and places a euconsent-v2 cookie on the user's

device or updates the existing cookie.

19Technical Analysis Report of theInspection Service, 6 January 2020 (Exhibit 53), p. 75.
20Conclusions of the complainantdated. 18 February 2021, para. 18.
21
Also referred to as “globally scoped consents”.

14,A.4. - Reports of the Inspection Service

A.4.1 - IAB Europe acts as data controller in respect of the Transparency and Consent

Framework and the personal data processing operations relating thereto

44. In these proceedings, the Inspection Service focused its investigation exclusively on IAB

Europe, which the Inspection Service identified as the data controller for the TCF. The

Inspection Service supports this initial finding with the fact that IAB Europe developed the

TCF,withwhichIABEuropeimposesbindingrulesonparticipatingorganisations.According

to the Inspection Service, these binding rules relate in particular to the processing of

personal data in the context of the collection and processing of consent, as well as the

preferencesofonlineusers,regardingprocessingpurposesandauthorised adtechvendors.

45. The Inspection Service bases its report on two technical analyses related to the Open

Realtime Bidding API Specification of IAB Europe, as well as the different mechanisms

under the OpenMedia specification of IAB Tech Lab, including the Transparency and

Consent Framework developed by IAB Europe jointly with IAB Tech Lab . 22

46. With regard to the OpenRTB protocol, the Inspection Service concludes that IAB Tech Lab,

which developed this open technical standard and is based in New York (USA), merely acts

asaproviderofthesystemwithrespectto participatingorganisationsandtherefore cannot

be considered a data controller. In contrast to the TCF, the OpenRTB allows the processing

of personal data in accordance with means and purposes entirely determined by the

participating organisations, but not by IAB Tech Lab.

47. Finally, the Inspection Service states that the Belgian DPA is not competent for the

Authorised Buyers protocol, which was developed by Google as an alternative to the

OpenRTB standard.

A.4.2. - Identified infringements of the GDPR

48. The Inspection Service finds that IAB Europe is in breach of the following legal provisions

and principles of the GDPR with its Transparency and Consent Framework:

▪ Articles 5.1.a and 5.2 (principles of fairness, transparency and accountability)

▪ Article 6.1 (lawfulness of processing);

▪ Article 9.1 and 9.2 (processing of special categories of personal data);

▪ Article 12.1 (transparency of information, communications and modalities for

exercising data subjects' rights);

22Technical Analysis Reports of the Inspection Service, 4 June 2019 (Exhibit 24) and 6 January 2020 (Exhibit 53). Whereas
IAB Europe drafted the TCF Policies, IAB Tech Lab developed the technical specifications in accordance with said Policies.

15, ▪ Article 13 (information to be provided when personal data have been obtained from

the data subject);

▪ Article 14 (information to be provided when personal data have not been obtained

from the data subject);

▪ Article 24.1 (responsibility of the data controller);

▪ Articles 32.1 and 32.2 (security of processing).

49. Outside the scope of the complaints, the Inspection Service also finds additional

infringements of the following provisions of the GDPR:

▪ Article 30 (register of processing activities);

▪ Article 31 (cooperation with the supervisory authorities);

▪ Article 24.1 (responsibility of the data controller);

▪ Article 37 (appointment of a data protection officer.

Finding 1 - IAB Europe wrongly uses legitimate interest as a basis for processing personal data

under the TCF, whereby special categories of personal data may also be processed in certain

cases.

50. Based on the two versions of the IAB Europe Transparency & Consent Framework

Policies , the Inspection Service notes that IAB Europe places the responsibility for

compliance with the principles of transparency and fairness on the CMPs and/or publishers.

Moreover, IAB Europe takes the position that the legitimate interest of participating

organisations is an appropriate basis for processing personal data within the framework of

the TCF in order to create an advertising profile of the data subjects and to display

personalisedadvertisingtothem.However,accordingtothe InspectionService,IABEurope

fails to provide evidence that the interests, in particular the fundamental rights and

freedoms, of data subjects were adequately considered in the process.

51. Incidentally, the Inspection Service notes that in certain circumstances, special categories

of personal data may also be collected and processed by the participating organisations.

For example, participating organisations could learn about the websites previously visited

by a data subject, whereby the political opinions, religious or philosophical convictions,

sexual orientation, health data or even trade union memberships of the data subjects could

be inferred or revealed.

52. TheInspectionService considers thatIAB Europehas thus failed to comply adequatelywith

the principles of transparency and fairness in relation to the persons concerned.

23IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32); IAB Europe Transparency &
Consent Framework Policies v2019-04-02.2c (Exhibit 38).

16, Finding 2 - The information provided does not comply with Articles 12.1, 13 and 14 of the GDPR

53. The Inspection Service also finds that the privacy policy that IAB Europe makes available to

data subjects is not always transparent or understandable, which constitutes a breach of

the obligations arising from Articles 12.1, 13 and 14 of the GDPR.

24
54. The privacy policy of IAB Europe is available only in English. In addition, the privacy policy

contains several terms that, without further explanation, are unclear to those involved. By

way of example, the Inspection Service mentions "services" and "other means".

55. Moreover, according to the Inspection Service, the information provided is incomplete and

inadequate.Firstly, datasubjects arenotinformed of the exactlegitimateinterests pursued

by IAB Europe.Secondly, itis noteasy for datasubjects to distinguishbetween thedifferent

recipients or categories of recipients of their personal data; the terms "third parties" and

"partners" are not understandable without further explanation. Thirdly, data subjects are

not informed, on the one hand, about the reference to appropriate or sufficient safeguards

for the international transfer of their personal data outside the EEA or, on the other hand,

about how to obtain a copy or where it is made available. Fourthly, based on the privacy

policy of IAB Europe, it is not clear to data subjects that their personal data can be obtained
25
by IAB Europe via its TCF . Fifthly, the conditions under which data subjects must provide

their personal data, in particular whether this collection is organised on the basis of a legal,

pre-contractual or contractual obligation, are not clearly set out. Nor are the data subjects

informed of the possible consequences of not providing their data.

56. Therefore, the privacy policy does not comply with the obligations enshrined in Articles 13

and 14 of the GDPR.

Finding 3 - IAB Europe does not foresee any compliance control under the TCF policy rules

57. On the basis of the two versions of the IAB Europe Transparency and Consent Framework

Policies , the Inspection Service is of the opinion that IAB Europe does not sufficiently

monitor compliance with the rules it has developed with regard to participating

organisations. In particular, it would be possible for a CMP to continue exchanging personal

datawithapublisherevenifitreasonablyconsidersthatthisPublisherdoesnotcomplywith

the rules imposed by IAB Europe in the context of its TCF or the rules imposed by the

legislation .

24Exhibit 41.
25
TermsandConditionsfortheIABEuropeTransparency &ConsentFramework("TermsandConditions")(Exhibit33),p. 7.
26IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32); IAB Europe Transparency &
Consent Framework Policies v2019-04-02.2c (Exhibit 38).
27
IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), p. 11 ; IAB Europe Transparency &
Consent Framework Policies v2019-04-02.2c (Exhibit 38), p. 6.

17, 58. Given the role that IAB Europe assigns to itself, namely that of Managing Organisation, this

disregard for the risks to the rights and freedoms of data subjects would indicate a breach

of Article 24.1 GDPR as well as of the obligation to provide appropriate security for the

processing of personal data, pursuant to Articles 32.1 and 32.2 GDPR.

Finding 4 - IAB Europe failed to keep a register of processing operations

59. The Inspection Service also notes that IAB Europe does not consider itself obliged to keep

aregister ofprocessing activities, based on theexceptionprovided in Article30.5 GDPR for

organisations with fewer than 250 persons . The Inspection Service also points out that

IAB Europe did not initially provide a copy of its register of processing activities to the

Inspection Service.

60. Only in a second reply 29 did IAB Europe decide, for the sake of completeness, to provide a

register of processing activities, although the organisation still does not consider itself

subject to the obligation under Article 30.5 GDPR.

Finding 5 - IAB Europe did not cooperate sufficiently with the investigation by the Inspection

Service

61. Based on finding 4, and with reference to the delay with which IAB Europe responded to the

Inspection Service's requests for additional information, the Inspection Service concludes

that the conduct of IAB Europe in the context of its investigation is in breach of the duty to

cooperate under Article 31 of the GDPR.

Finding 6 - IAB Europe failed to appoint a data protection officer, although as Managing

Organisation it reserves the right to access the (personal) data that organisations participating

in the TCF collect and process

62. IAB Europe asserts 30 that it does not fulfil the conditions referred to in Article 37.1.b of the

GDPR, as "IAB Europe is a professional association whose main activities are to provide

information and tools to stakeholders (in particular, companies) operating in the digital

advertisingsector,aswell astoprovideinformationtothegeneralpublicinordertoimprove

their knowledge and to inform them of the value that digital advertising brings to the

market". For these reasons, IAB Europe has not appointed a data protection officer.

63. According to the Inspection Service, the approach of IAB Europe set out above is not

supported by the facts. IAB Europe developed and manages the TCF in its capacity as

Managing Organisation and as such, as well as under the terms and conditions of the IAB

28IAB Europe- Response to Belgium DPA, 26 June 2019 (Exhibit 22), p. 2-3.
29
IAB Europe response to the Inspection Report, 10 February 2020(Exhibit 57).
30In its reply to the Inspection Service dated 26/06/2019 and 20/08/2019, Exhibits 22 and 29.

18, 31
Europe Transparency & Consent Framework , has a right to access and to store and

process all information provided by participating organisations.

A.4.3. - Additional considerations that the Inspection Service considers relevant to the

assessment of the gravity of the facts

64. TheInspectionService refers to thejudgmentofthe Court ofJusticeof theEuropean Union

(hereinafter "the Court of Justice") in Case C-25/17 (Jehovah's Witnesses) , in which the

Court clarified that the definition of data controller must be interpreted broadly in order to

ensure effective and complete protection of data subjects. In this regard, the Inspection

Service argues that IAB Europe is trying to evade its responsibility under the GDPR.

65. The Inspection Service refers to clauses included under Title 10 "Liability" of the General

Terms and Conditions for the TCF , with which IAB Europe places the responsibility for the

processing ofpersonal datacollected by theparties ofthedigital advertising sector entirely

on the CMPs, publishers and other adtech vendors . Indeed, these clauses expressly state

that IAB Europe does not guarantee in any way that:

▪ the consent given by CMPs or publishers to authorised partners (global adtech

vendors)hasbeencollectedandprocessedinaccordancewith,inter alia,theGDPR;

▪ any data processing carried out in connection with, or on account of, the TCF shall

comply with all relevant laws and regulations, including the GDPR.

A.5. - Summary of the defendant's response dd. 11 February 2021

A.5.1. - IAB Europe is not a data controller with regard to the processing of personal data in

connection with the TCF

66. The defendant refutes the Inspection Service's view that it acts, in its capacity as Managing

Organisation, as a data controller in respect of the personal data processed by participants

in the Transparency and Consent Framework.

67. According to the defendant, the TCF in no way obliges the participating organisations to

pursue certain objectives, but merely aims to provide the information, which must be

provided to data subjects in accordance with Articles 12 and 13 of the GDPR, in a

31Terms and Conditions for the IAB Europe Transparency & Consent Framework ("Terms and Conditions") (Exhibit 33).
32
CJEU judgment of 10 July 2018,C-25/17, Jehovah's Witnesses, ECLI:EU:C:2018:551.
33Terms and Conditions for the IAB Europe Transparency & Consent Framework ("Terms and Conditions") (Exhibit 33).
34
In particular, the Supply-Side Platforms, Demand-Side Platforms, Ad Exchanges, Advertisers and Data Management
Platforms.

19, streamlined and standardised manner by means of the CMPs. In contrast, the actual

processing purposes are determined by the participating organisations, without the

intervention of the defendant.

68. Firstly, the defendant addresses the lack of legal capacity (ratione personae) on the part of

the DPA, and more specifically the Inspection Service, to conduct an investigation and to

challenge the TCF. The defendant also refers to the DPA's capacity to hold the actual data

controllers, i.e. the participants in the TCF, accountable for possible infringements of the

GDPR, where necessary.

69. According to the defendant, the TCF as such does not entail any processing of personal

data and the Inspection Report does not show for which processing activities IAB Europe

should be regarded as the data controller.

70. Secondly, it argues that a broad definition of the concept of a data controller, as proposed

by the Inspection Service, is not justified in the context of the TCF, since there are already

clearly identified data controllers, on the one hand, and in view of the fact that the TCF has

no influence on the processing of personal data that takes place in the context of the

OpenRTB protocol, on the other. More specifically, the defendant refers to the lack of any

influence on both the means and ends of processing within the RTB system.

71. The defendant also considers that the Jehovah's Witnesses judgment cited above does not

apply to the situation of IAB Europe, for the following reasons:

▪ Unlike the Jehovah's Witness Community, IAB Europe does not "organise,

coordinate or promote" in any way the processing of personal data by TCF

participants.

▪ The processing of personal data by TCF participants for RTB purposes is not in the

interest of IAB Europe.

▪ TCF participants have no common purpose in processing personal data and only

participate in the TCF with the aim of achieving their individual objectives in a

manner that is compliant with the GDPR.

35
72. Thedefendant is of theopinion that the Wirtschaftsakademie ruling does not apply to IAB

Europe either, as the defendant never disseminates information (i.e. advertising) on behalf

of or at the behest of advertisers; does not choose an advertising platform or other

communication channel; and does not set any parameters or processing purposes, unlike

the participants in the TCF who do decide on these matters. According to the defendant,

IAB Europe is not actively involved in any RTB processing and it does not initiate such

35CJEU judgment of 5 June 2018,C-210/16, WirtschaftsakademieSchleswig-Holstein, ECLI:EU:C:2018:388.

20, processing in any way or form. The data processing associated with the OpenRTB system

is carried out exclusively by TCF participants and therefore takes place independently of

IAB Europe or the TCF.

73. Thirdly, it discusses the definition of a data controller as explained in guidelines issued by

the European Data Protection Board (EDPB). 36The defendant claims that it does not

exercise any discretion as to the purposes or means of the processing of personal data

within the framework of the TCF. Furthermore, IAB Europe does not process personal data

in a way that could be regarded as "inseparable" from, or "inextricably linked" to, the

processing of personal data by participants in the TCF. Also, the fact that participating

organisations pay a financial fee to IAB Europe does not constitute, according to the

defendant, a "mutual benefit" that would lead to a joint processing responsibility.

74. Moreover, the defendant emphasises the lack of decisions or guidelines from other

supervisory authorities which could support the Inspection Service's view. In particular, the

Belgian, German, French and UK supervisory authorities failed to identify IAB Europe as a

(joint) data controller. Specifically, the Conference of Independent Data Protection

Authorities of the German Federation and the Länder decided in September 2019 that IAB

Europe was acting purely as a representative organisation in the sector of programmatic

advertising. In addition, the German supervisory authorities confirmed their position in

November 2019, when they announced that any enforcement proceedings related to

complaints against online advertising should be initiated against TCF participants, but not

against IAB Europe. According to the defendant, the French supervisory authority (CNIL)

also indirectly accepted the view that IAB Europe was not responsible for the processing

operations carried out by participants in the TCF. Also, the UK ICO has allegedly never

identified IAB Europe as a potential data controller within the RTB ecosystem at any point.

75. Finally, the defendant refers to the possible consequences for other organisations subject

to the GDPR if the Litigation Chamber were to rule that IAB Europe is indeed (co-

)responsible for the processing of personal data within the framework of the TCF. In

particular, according to the defendant, such a decision would mean that any umbrella

organisation which develops and adopts a code of conduct would, merely by virtue of its

supervisory role, be deemed to be co-responsible with regard to the processing operations

carried out by other organisations in accordance with that code of conduct.

36EDPB - Guidelines 07/2020 on the concepts of data controller and processor in the GDPR, v2.0, 2021.

21, A.5.2. - The TCF complies with the GDPR

a. Legality and legal basis

76. First of all, the defendant argues that IAB Europe, unlike the participating organisations, is

not at all obliged to explain to the Inspection Service the existence of a legitimate interest,

including a balancing of the interests of participating organisations against the rights and

freedoms of data subjects, since IAB Europe does not participate in the TCF nor does it act

as a data controller.

77. Moreover, the defendant claims that the DPA is not authorised to prohibit participants in

theTCF fromprocessing personal dataofdatasubjects onthebasis ofalegitimateinterest.

On the contrary, the assessment of the merits of the legitimate interests asserted by the

participants must be made on a case-by-case basis, and therefore cannot be prohibited in

advance and in absolute terms by the DPA.

78. As regards the allegations that IAB Europe processes special categories of personal data

within the framework of the TCF, or is allegedly jointly responsible for the processing of

such personal data by the participating organisations, the defendant points out that such

categories of personal data may, if necessary, only be processed within the framework of

the OpenRTB, as opposed to the TCF. The defendant refers in this regard to the TCF

Policies, which expressly prohibit the use of the TCF to process special categories of

personal data.

b. Transparency

79. In view of the fact that IAB Europe does not act as a data controller in respect of personal

data processed for RTB purposes, the defendant argues that it cannot be expected to

inform data subjects in accordance with Articles 12 and 13 of the GDPR either.

80. Moreover, the defendant claims that the privacy policy which the Inspection Service

invokes as evidence of possible infringements of the principle of transparency is applicable

exclusively to the processing of personal data collected on the various websites operated

by the defendant, as well as to the personal data collected in connection with the

participating organisations (in particular, the contact details of representatives of those

organisations). In other words, the privacy policy to which the Inspection Service refers has

no connection whatsoever, according to the defendant, with the processing activities in the

context of the OpenRTB system.

81. The defendant also disputes any allegation that IAB Europe, in its capacity as Managing

Organisation, reserves the right to access the personal data collected and exchanged by

the participating organisations within the framework of the TCF and the OpenRTB system.

IAB Europe claims that this assumption is not based on any evidence and is due to an

22, incorrect interpretation of the possibility offered to the defendant to process personal data

of representatives of participating organisations.

82. Moreover, the defendant considers that it is entitled to offer the privacy policy exclusively

in English, since the target audience is mainly professional, B2B actors. The defendant

points out that Belgian law does not provide for any obligation to make a privacy policy

available in French or Dutch and that, moreover, Belgium has failed to make use of the

possibility of adopting additional requirements concerning the use of language within the

framework of the European Directive on consumer rights . 37

c. Security

83. The defendant claims that the charges concerning the lack of technical and organisational

measures to protect personal data in connection with the TCF are unfounded.

84. First of all, the defendant takes the view that IAB Europe is not subject to Articles 24 and

32 of the GDPR in respect of the data processing operations carried out within the TCF, as

the organisation is not a data controller.

85. Secondly, the Transparency & Consent Framework Policies provide that participants in the

TCF must report infringements of TCF rules to IAB Europe. Again, the defendant claims

that the Inspection Service is misinterpreting the TCF Policies, in particular by granting

CMPs the right to terminate the cooperation if they consider that a publisher does not

comply with the rules, without suffering any contractual disadvantage. In addition, the

defendant notes that infringements of the rules provided for in the TCF can always be

reported to the supervisory authorities, which will then take action if they deem it

necessary.

d. International transfer of personal data

86. IAB Europe refutes the complainants' allegations concerning the international transfer of

personal data within the framework of the TCF. The defendant notes in this regard that

these allegations are only relevant in the context of the OpenRTB system, which is not at

issue in this case. Incidentally, IAB Europe cannot be held responsible for the transfer within

the framework of the OpenRTB System.

A.5.3.-IABEuropeisnotsubjecttotheobligationtokeeparegisterofprocessingoperations

87. The defendant emphasises that it can invoke the exception provided for in Article 30.5, in

particular that the organisation does not have to keep a register of processing activities, as

37Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending
CouncilDirective93/13/EECandDirective1999/44/ECoftheEuropeanParliamentandoftheCouncilandrepealingCouncil
Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council, OJ L 304/64.

23, IAB Europe is not a data controller in respect of the processing activities carried out within

the TCF and, moreover, the organisation has fewer than 250 employees. Nevertheless, the

defendant emphasises its own initiative in drawing up a register and submitting it to the

Inspection Service, as well as the fact that this register does not relate to processing

activities relating to the TCF.

A.5.4. - IAB Europe is not required to appoint a data protection officer

88. Having regard to the nature and scope of the processing activities carried out by the

organisation, the defendant states that IAB Europe is not required to appoint a data

protection officer, since the criteria laid down in Article 37 of the GDPR are not met.

A.5.5. - IAB Europe did cooperate with the Inspection Service

89. The defendant refutes the allegations of insufficient cooperation with the investigation,

noting that the time limits imposed by the Inspection Service on parties to an investigation

are in no way determined by law, but mustbe theresult of reasonable assessment and must

takeinto accountthespecific circumstances ofthecase. Inthepresentcase, the defendant

takes the view that IAB Europe has always cooperated in good faith and provided

information and replies in an attempt to clarify its status in relation to the TCF and to

demonstrate its compliance with the GDPR, in so far as it applies to IAB Europe.

90. In addition, the defendant observes that the duty of cooperation under Article 31 of the

GDPR cannot in any way be construed as an obligation to provide documentation in

accordance with provisions of the GDPR which the defendant does not consider to be

required.

A.5.6. - There are no aggravating circumstances to the detriment of IAB Europe

91. Finally,IABEuropedisputestheInspectionService'sfindingthatthedefendant'sdenialthat

IAB Europe is acting as a data controller, as well as the large volume of both personal data

processed and of participating organisations, may be regarded as aggravating

circumstances.

92. The defendant refers to the lack of clear evidence in the investigation report that these

circumstances are aggravating and concludes that the allegations are due to insufficient

knowledge of the operation of the TCF. Consequently, the defendant requests the

Litigation Chamber to disregard the opinion of the Inspection Service.

24,A.6. - Summary of the complainants' reply submissions dd. 18 February 2021

A.6.1. – IAB Europe is data controller for the TCF

a. Processing of personal data within the framework of the TCF

93. The complainants argue that a unique identification number, such as the TC String

generated and stored in a cookie, is personal data within the meaning of Article 4(1) of the

GDPR, a position which has also been expressly confirmed in case law prior to the GDPR.

94. Moreover, according to thecomplainants, theTC String is more thanjust a uniqueidentifier,

as IAB Europe allegedly also uses the TC String to collect information regarding which

applications a data subject uses and which websites he visits. This could also reveal

sensitive data on data subjects within the meaning of Article 9 of the GDPR.

95. Furthermore, the generation of the TC String in itself constitutes, without any doubt,

processing of personal data. The issue at hand is the automated creation, by a CMP

registered with the TCF, of a unique and linked set of characters intended to capture a

specific user's preferences regarding permitted data exchanges with advertisers.

96. The sharing of the TC String with CMPs takes place, according to the complainants, in two

ways:

a. storing the TC String in a shared globally scoped consent cookie on the IAB Europe

consensu.org internet domain; or

b. storing the TC String in a storage system chosen by the CMP if it is a service-

specific permission.

97. According to the complainants, in both cases IAB Europe is the data controller of those

processing operations. The intervention of IAB Europe is, moreover, all the more drastic in

the hypothesis of the shared global consent cookie. Indeed, that shared globally scoped

consent cookie that stores the TC String points to the "consensu.org" domain, managed by

IAB Europe, from where CMPs can access and update the shared TC String.

b. IAB acts as data controller for the processing operations within the TCF

98. First of all, the complainants believe that IAB Europe, in its "Frequently Asked Questions"

about the TCF, explicitly states that it is responsible for the TCF Policies.

99. According to the complainants, it goes without saying that the organisation that manages

and operates the TCF is also the data controller of this system, including any processing of

personal data imposed and organised by the TCF. After all, IAB Europe imposes these

personal data processing operations on the other participants in an enforceable manner.

100. Furthermore, IAB Europe requires CMPs to implement the TCF strictly according to its

Technical Specifications. In the TCF Technical Specifications, IAB Europe explains in detail

25, which personal data must be processed by the participants, for what purposes and by what

means.

101. IAB Europe also requires CMPs, in the case of a global consent, to store the character string

in a shared global consent cookie on the "consensu.org" domain. Since this internet domain

is registered and managed by IAB Europe, the defendant also has access to the personal

data processed in the TCF.

102. Moreover, according to the complainants, IAB Europe determines the so-called "essential

means" for the processing of personal data within the TCF. On the one hand, IAB Europe

specifies in detail which elements must be included in the TC String. And, on the other hand,

IAB Europe determines the categories of recipients of that personal data, as the defendant

is responsible, in its own words, for the management of the Global Vendor List and the

management of the CMPs participating in the TCF.

103. The complainants also believe that TCF does not provide an effective mechanism to
38
enforce certain policies , although a code of conduct is intended to be an effective system

for compelling its members to comply, as stipulated in Article 41 GDPR.

A.6.2. - The processing operations carried out in the TCF violate the GDPR at various levels

a. Infringement of the principles of purpose, proportionality and necessity

104. According to the complainants, IAB Europe collects users' preferences in the TCF via the

TC String for a vague, inaccessible and abusive purpose, while the personal data processed

is insufficient and irrelevant for this purpose.

105. Moreover, the processing in itself is alleged to be anything but proportionate, which means

that IAB Europe is in breach of Articles 5(1)(b) and 5(1)(c) of the GDPR, as well as its duty of

responsibility as the data controller, laid down in Article 5(2) of the GDPR. Furthermore, the

complainants consider that, with the design of the TCF, IAB Europe does not provide the

necessary guarantees for compliance with the requirements of the GDPR and for the

protection of the rights of data subjects; consequently, the defendant infringes Article 25

GDPR.

The purpose of processing the TC String is neither specified nor explicitly defined for data

subjects, nor is it justified

106. According to the complainants, IAB Europe does not provide information to data subjects

concerning the processing of their personal data in the TCF.

38See para. 133 et seq. of this decision.

26,107. The purpose of the TC String within the overall purpose of the TCF is to capture the

information provided to users and their processing preferences. In other words, IAB Europe

does processpersonal data(inparticular theTC String) withintheTCF becauseit claims this

could bring the underlying marketing-related processing in line with the GDPR. According

to the complainants, it is therefore this purpose that must be assessed in terms of its

lawfulness, and in the light of this purpose, the proportionality and necessity of the TC

String's processing within the TCF must be assessed.

The TC String is inadequate and not relevant for the intended purpose

108. The complainants further argue that the TC String's processing operations within the TCF

are insufficient and not relevant to ensure compliance with the GDPR when personal data

are processed through the OpenRTB system.

109. The OpenRTB system contains an inherent security problem that makes it impossible for a

system such as the TCF to guarantee, among other things, the necessary transparency and

accountability with regard to personal data, including special categories of personal data,

processed in a bid request after the bid request has been sent out.

110. The central idea behind the TCF is that participants collect user preferences and transmit

them in the form of the TC String, so that other participants take note of the content (i.e.

read the TCF signal) and can therefore respect the user preferences. However, according

to thecomplainants, thereis nothing intheTCF, or inany related systemor mechanism, that

actually ensures that participants in the OpenRTB system are bound by the TCF signal. The

TCF signal is therefore no more than a mere notification.

111. Given the inherently unlawful nature of processing personal data in the OpenRTB system,

on the one hand, and the inherently imperfect nature of a purely signal-based system such

as the TCF without effective control, on the other, the use of the TCF, including the

processing of the TC String, can never give participants the assurance of being in

compliance with the GDPR. After all, the TCF offers no guarantee whatsoever that TCF

participants will comply with their accountability obligations (Article 5.2 of the GDPR). Nor

can it provide adequate protection for the personal data shared through the OpenRTB

system (Article 5.1.f GDPR).

IAB Europe set up the TCF in such a way that data protection by design is not guaranteed

112. The complainants argue that the design of the TCF, due to its disproportionate nature,

cannot guarantee the level of data protection required under Article 25 GDPR, in particular

in view of the obligation arising from Article 25 GDPR to implement appropriate technical

and organisational measures to ensure that, in principle, only personal data that are

necessary for each specific purpose of the processing are processed.

27,113. The processing of personal data within the TCF, in particular the TC String, is therefore not

necessary for the specific purpose as, according to the complainants, that purpose cannot

and will not be achieved in any case.

114. Moreover, the complainants argue that the TC String, as an independent personal data that

uniquely identifies users, is shared with numerous participants through various

mechanisms, including through IAB Europe's own mechanism of the shared global consent

cookie on its "consensu.org" internet domain.

b. Infringement of the principles of fair, lawful and transparent processing (Articles 5, 6, 12, 13

and 14 GDPR)

115. The complainants allege that datasubjects are notinformed in any way of the factthat their

personal data (including the TC String) are systematically and widely processed by IAB

Europe within the TCF.

116. Accordingtothecomplainants,theprocessingofthepersonaldataofthecomplainantsand

other data subjects by IAB in the TCF is after all:

▪ anything but lawful as there is no legal basis;

▪ neitherpropernortransparent,asittakesplaceentirely"behindthebacks"ofthose

affected, without any form of notification.

IAB Europe's processing operations lack a legal basis and are therefore unlawful

117. IAB Europe cannot rely on the consent of data subjects (Article 6.1.a GDPR), according to

the complainants, as it never sought or obtained such consent. Also nowhere in the TCF

Policies, Technical Specifications or General Terms and Conditions is a mechanism cited

whereby IAB Europe would ask data subjects for permission to generate a unique

identifying string of characters that shares their privacy preferences with a mass of

recipients, even in cases where those data subjects indicate in a CMP that they do not wish

to share personal data with anyone.

118. According to the complainants, IAB Europe also cannot invoke the necessity of the

processing of the TC String within the TCF for the performance of a contract with the

complainants and other data subjects (Article 6.1.b), as there is no contract between data

subjects and IAB Europe.

119. Furthermore, the complainants argue that the defendant may also not rely on the necessity

of the processing of the TC String within the TCF to serve its legitimate interests, or those

of a third party (Article 6.1.f GDPR). The required balancing of interests would always be in

favour of those affected.

120. First of all, the processing of the TC String does not benefit the data subjects in any way as

the TCF is not able to guarantee security, accountability or transparency. Moreover, there

28, is no legitimate interest, as this interest is not sufficiently clearly articulated anywhere, and

it is not possible to balance it against the interests and fundamental rights of the data

subjects.

121. Secondly, in balancing the interests, the data controller must in principle take into account

several factors:the effects ofthe processing onthe datasubject, the nature of the personal

data processed, the way in which these personal data are processed, the data subject's

reasonable expectations, and the status of the data controller and the data subject.

122. According to the complainants, the consequences of the processing of the TC String are

particularly far-reaching for those involved. IAB Europe's processing operations would lead

TCF participants to assume that they are correctly informing data subjects about the

processing of personal data through the OpenRTB system, but this is not the case. This

would then lead to the unlawful sharing and distribution of personal data, even sensitive

personal data, on an immense scale via the OpenRTB system.

123. IAB Europe's processing of the TC String would result in a unique online identifier being

shared with untold numbers of parties, similar to what happens with unique identifiers in

advertising cookies from large advertising companies. It would therefore allow easy

tracking of users across the web and across devices ("web and cross-device tracking").

Moreover, the complainants argue that the TC String can be combined with the data

distributed via the OpenRTB system, because the TC String is integrated in a bid request.

124. Given the lack of information for data subjects about the processing operations within the

TCF and the unrestricted sharing of the TC String with an almost unlimited group of

recipients, it is clear to the complainants that these processing operations are beyond the

scope of the data subjects' reasonable expectations. Furthermore, data subjects such as

the complainants do not expect that the processing of personal data within the TCF will

result in their, sometimes sensitive, personal data and detailed profiles being shared with

numerous companies through the OpenRTB system without any real and effective control

over what those companies will do with the personal data obtained.

125. Thecomplainants inthis caseare natural persons and interestgroups representing thedata

protection interests of natural persons. They have no control over the processing of

personal data within a TCF (which happens anyway, regardless of whether consent is given

or refused in a CMP). Nor do they have control over what happens to their personal data

shared through the OpenRTB system. According to the complainants, those involved

cannot verify whether participants in OpenRTB actually comply with the rules of the TCF.

29, IAB Europe processes personal data in the TCF covertly without any form of notification and the

processing is therefore neither proper nor transparent

126. Despite the extensive documentation that IAB Europe makes available to TCF participants

on its website, nowhere does it state that the TCF itself also involves the processing of

personal data, according to the complainants. Moreover, the documentation expressly

disregards, with regard to TCF participants, that the TCF itself involves the processing of

personal data.

127. The TCF Implementation Guidelines seems to suggest that there are hypotheses in which

participationin aTCF does notinvolve theprocessing ofpersonal data. After all, advertisers

and DSPs, who already participate in the TCF, are told that they should register as vendors

if they process personal data. According to the complainants, this implies that they would

not have to do so if they were not processing personal data. However, the latter situation is

entirely impossible, according to the complainants, as the TCF inherently requires the

processing of personal data.

128. According to the complainants, the statements in the IAB Europe guidelines are misleading

for the hundreds of adtech vendors who useTCF.BecauseIAB Europedoes notinform TCF

participants about the processing of personal data necessarily entailed by the

implementation of a TCF, none of these participants knows or realises that they have a

transparency obligation. In this way, data subjects - such as the complainants - are not

informed by any participant of the processing of personal data within TCF.

129. IAB Europe does also not comply with its own transparency obligation. Neither on its own

website nor in other sources does the defendant communicate the information required by

Articles 13 and 14 to those concerned, such as the complainants. This would include the

following information: that IAB Europe is the data controller of the TCF and its contact

details; the contact details of its data protection officer; what its processing purposes are

and the legal basis for the processing; which categories of personal data it processes (in

particular the TC String); who receives the personal data (these are already at least all
participants in the TCF who receive the TC String); that IAB Europe intends to transfer the

personal data to recipients in third countries; how long the personal data are retained; what

its legitimate interests for processing are; what the rights of the data subjects are; that data

subjects may lodge a complaint with the DPA; that data subjects may withdraw their given

consents; and finally, what the source of the personal data is.

130. At the same time, IAB Europe cannot invoke any of the exceptions provided for in Article

14.5 of the GDPR in order not to have to provide this information, as:

a. the data subjects are not yet in possession of the information, since the processing

in respect of them has so far been carried out in secret (Article 14.5.a GDPR);

30, b. it is not impossible nor does it require a disproportionate effort to make this

information known to the data subjects, given the influence that IAB Europe

exercises over the operation of the TCF (Article 14.5.b GDPR);

c. the acquisition of these data is not prescribed by law (Article 14.5.c of the GDPR);

and

d. the personal data need not remain confidential for reasons of professional secrecy

(Article 14.5.d GDPR).

IAB Europe's reference to the Vectaury case in France does not hold water

131. According to the complainants, IAB Europe wrongly believes that it can rely on the decision

of the French supervisory authority CNIL in the Vectaury case. Indeed, IAB Europe wrongly

claims that it would be strange for the Inspection Service to find infringements related to

the processing of personal data in the TCF, while the CNIL is alleged to have no problems

with the legitimacy of these processing operations. The complainants argue that IAB

Europe is making assumptions here and reaching conclusions that cannot be deduced from

the Vectaury case at all:

• Firstly, the Vectaury case was about the specific implementation of a CMP by

Vectaury whereby the TCF would have been implemented. The role of IAB Europe

was not the subject of those proceedings and CNIL therefore did not rule on, nor

investigate, the role of IAB Europe in providing the TCF.

• Secondly, that case specifically concerned whether Vectaury's implementation of

the TCF could bring the underlying processing of real-time bidding systems in line

with the GDPR. The CNIL's verdict was clearly negative, as shown by the fact

Vectaury itself states on its website that it has created a completely new method in

dialogue with the CNIL. According to the complainants, it is therefore misleading of

IAB Europe to claim that the CNIL has legitimised the TCF in itself as being

sufficient to bring real-time bidding systems into compliance with the GDPR.

• Thirdly, the complainants argue that the CNIL investigation did not focus on the

legitimacy of the processing of personal data within the TCF. The CNIL did not look

at the generation and distribution of the TC String as a stand-alone processing and

therefore did not make any statement about it.

132. According to the complainants, the CNIL's decisions in the Vectaury case are therefore

irrelevant, as it was a clearly different case, directed against a different party, involving

different processing operations and under legislation that has since been replaced. The

Litigation Chamber follows the position of the complainants and does not discuss the

Vectaury case, which concerns a different case than the present one.

31, c. Infringement of the principles of integrity and confidentiality (Articles 5.1.f and 32 of the

GDPR)

133. According to the complainants, IAB Europe violates the integrity and confidentiality

obligations of the GDPR because it facilitates the exchange of personal data in the TCF, in

particular the exchange of the TC String, with numerous parties, without verifying whether

all recipients of this personal data comply with the rules of the GDPR.

134. It is certain that the TC String is shared with thousands of companies. The TC String must

therefore be protected by appropriate measures in accordance with Articles 5.1.f et 32

GDPR. However, IAB Europe has not built in an appropriate protection mechanism: As with

all other processing in the OpenRTB system, there is no way to verify that recipients are

effectively processing the TC String in accordance with the GDPR. Indeed, none of the

mechanisms presented by IAB Europe is based on real, proactive control of TCF

compliance, the complainants argue.

135. The complainants dispute IAB Europe's argument that it has no obligation to enforce the

TCF, and in particular the agreements made within the TCF. The complainants argue that it

is indeed its obligation as a data controller to enforce the agreements within the TCF and,

atleastinthis way, to providecertainguarantees for thesecureprocessing of theTC String.

136. Secondly, the complainants point to claims by IAB Europe that, as a management

organisation, it makes "substantial efforts" to enforce the agreements within the TCF.

According to the complainants, there is no evidence of these alleged "substantial efforts".

They further argue that IAB Europe would have to verify each registered TCF participant's

compliance with all agreements, which given the scale of data processing would imply a

huge investigation. Moreover, the complainants refer to the answer given by IAB Europe

itself to the Inspection Service: "The reporting obligation itself is not currently monitored.

Moreover, it is difficult to monitor it because it would be difficult for IAB Europe to establish

whether or not or when a CMP had (or should have had) a "reasonable belief" that another

party was not complying" 39.

137. Thirdly, the complainants believe that IAB Europe is wrong to try to hide behind the

contractual arrangements. According to the complainants, the defendant claims that it is

sufficient that participants are contractually obliged to report any non-conformity to IAB

Europe.

138. The complainants also argue that IAB Europe, as the data controller of the TCF, is bound by

Articles 5.1.f and 32 of the GDPR, although it is practically impossible to guarantee the

security of the processed TC String when it is shared with thousands of recipient

39Letter from IAB Europe to the Inspection Service of 10 February 2020, p. 8.

32, companies. According to the complainants, the latter would mean that IAB Europe actively

checks that all recipients of the TC String always comply with the obligations of the GDPR

so that the processing of the received TC String would not be unlawful.

139. Moreover, according to the complainants, practice proves that almost all participants in the

TCFunlawfullyprocesstheTCString,asnotoneCMP,notonepublisherand notonevendor

provide information on the processing of the TC String, its purpose, legal basis or the

categories of recipients. This would imply, according to the complainants, that the transfer

of the TC String to these parties is inherently a personal data breach which, given its

immense scale, gives rise to an obligation to report to the supervisory authorities.

140. The practical impossibility of providing the necessary safeguards for the protection of the

personal data (in particular the TC String) of data subjects, when shared with thousands of

recipients within the OpenRTB system, shows, according to the complainants, that IAB

Europe is in breach of its obligations under Articles 5.1.f and 32 GDPR.

d. The systematic transfer of the TC String to third countries without adequate protection

(breach of Article 44 of the GDPR)

141. Thecomplainants arguethatIAB EuropehassetuptheTCFinsuchawaythatpersonaldata

— including the TC String, because it is integrated into the bid requests — is structurally

transferred in the context of OpenRTB to numerous companies outside the European

Economic Area (EEA), without adequate protection being provided for these transfers.

142. The complainants refer to the Ad Exchange Xandr (based in the USA), which is affiliated to

IAB Europe's TCF and therefore receives at least the TC String from EEA users, including

the complainants. As data controller for the processing of personal data in the TCF, IAB

Europe should provide a mechanism for the transfer of personal data so that Ad Exchanges

established outside the EEA may receive the TC String.

143. Exchanges of the TC String via real-time bidding systems such as OpenRTB are structural

innatureandrepeatthemselvescontinuouslyinfractionsofseconds.Afterall, theTCString

is sent along with the bid requests. This would make it impossible for IAB Europe, according

to the complainants, to invoke any of the exceptions in Article 49 GDPR.

144. Appropriate safeguards would be the only way for IAB Europe to organise transfers of

personal data in the TCF. However, at present IAB Europe does not provide any form of

appropriate safeguards for the transfer of the TC String through real-time bidding systems

such as OpenRTB.

33, 145. In line with the Schrems II judgment, IAB Europe, 40 in addition to selecting a form of

adequate safeguards, should also have taken additional measures to prevent personal data

from being processed in a non-compliant manner in third countries. However, these

additional measures are just as lacking as appropriate safeguards. The TC String is shared

in a blind manner with an indefinite number of participants in the OpenRTB system,

wherever in the world they may be located.

A.7. - Summary of the defendant's rejoinder dd. 25 March 2021

A.7.1. - Organisations that process personal data within the RTB system are responsible for

complying with the GDPR and the ePrivacy Directive

146. The defendant first argues that any party participating in RTB and using the OpenRTB

specification can intervene in the technical storage and/or access operations on a user's

device(e.g.theplacingofwebsitecookies)undertheePrivacyDirective,and/oractas adata

controller or processor of personal data (e.g. for digital advertising purposes) under the

GDPR. Where appropriate, all of these parties are responsible for complying with their

obligations under the GDPR and the ePrivacy Directive when engaging in RTB.

147. In addition, according to the defendant, there are thousands of companies engaged in RTB

and using the OpenRTB specification, which, however, do not participate in the TCF.

Similarly, parties may use the TCF for purposes other than RTB. IAB Europe also stresses

that publishers can use the TCF for a range of online advertising scenarios other than the

OpenRTB specification - including other types of RTB protocols, but also online advertising

that does not involve RTB at all, such as the direct sale of advertising inventory.

148. The defendant also refutes the complainants' allegations that RTB is inherently illegal by

referring to the UK supervisory authority's (ICO) report which merely stated that RTB

"requires organisations to take responsibility for their own data processing, and that the

industry is collectively reforming RTB". The ICO is also said to have highlighted the good

faith efforts of stakeholders such as IAB UK to contribute to this reform process in a more
41
recent publication .

149. Furthermore, the defendant states thatseveral supervisory authorities havecalled for ways

to increase transparency for data subjects by clearly identifying the data controllers with

whom personal data will be shared, by specifying the processing purposes and by enabling

40CJEU judgment of 16 July 2020, C-311/18, Facebook Ireland andSchrems, ECLI:EU:C:2020:559.
41
Information Commissioner’s Office – Adtech - the reform of real time bidding has started and will continue, 17 January
2020, https://ico.org.uk/about-the-ico/news-and-events/blog-adtech-the-reform-of-real-time-bidding-has-started/.

34, data subjects to exercise control over their personal data. It is precisely this kind of

transparency measure that IAB Europe and the TCF aim to support.

150. Within the framework of the TCF, data subjects are given the opportunity to give their prior

approval to a number of identified third parties (adtech vendors) and processing purposes.

According to IAB Europe, this transparency and prior checking is an appropriate substitute,

from a legal compliance perspective, for real-time, on-the-fly, one-by-one consent for

access, storage and data processing by data controllers.

A.7.2. - IAB Europe cannot be held responsible for the alleged illegal practices of RTB

participants, as the TCF is completely separate from RTB

151. The defendant emphasises that the TCF is only one of many optional approaches that data

controllers may choose to help ensure compliance with transparency and consent

requirements when processing personal data for RTB or other advertising purposes.

Consequently, the responsibility for compliance and for the actual decisions on the

purposes and means of these personal data processing operations lies entirely with the

parties engaged in RTB, and not with IAB Europe.

152. The defendant also states that IAB Europe had contact with several supervisory authorities

after the roll-out of the first version of the TCF, as well as with several publishers. Following

these discussions, the second version of the TCF was developed, in which several

processing purposes were bundled under one title in so-called "stacks", and the legitimate

interest was introduced as a possible legal basis. Furthermore, the TCF v2 introduces

additional purposes and "publisher controls" that allow publishers to restrict access to a

particular purpose to a subset of adtech vendors.

153. Finally, the defendant clarifies that IAB Europe has always intended to have the TCF

adopted as a transnational code of conduct.

154. In its initial submission, the defendant puts forward procedural arguments concerning the

competence of the DPA and the way in which the complaints and the investigation were

handled. These defences are set out below in Section A.9.

155. In its summary submission, the defendant also claims that the manner in which the DPA

conducted the proceedings does not comply with Article 57 of the GDPR. However, since

the complainants were unable to respond, the debates were reopened at the request of the

Litigation Chamber.

35,A.8. - Hearing and reopening of debates

156. In accordance with Article 51 of the Rules of Procedure of the Data Protection Authority, a

hearing was organised, to whichall parties shall beinvited.Thehearing took placeon11 June

2021.

157. An official report of the hearing was drawn up in order to give details and additional

information which were made during the hearing, without repeating the elements set out in

the submission. The parties were also given the opportunity to submit their written

comments on the record. A number of elements mentioned below are relevant to the

present decision.

158. In the context of the hearing, the Inspection Service first confirmed its position that IAB

Europeacts as adatacontroller for theprocessing of personal dataunder theTransparency

and Consent Framework (hereinafter "TCF"), but not for OpenRTB.

159. The Inspection Service also clarified that personal data is collected as provided for in the

42
TCFPolicies,intheTerms andConditions andintheprivacypolicy,aswellasinthecontext

of the TC String values stored in a euconsent-v2 cookie, the latter as an expression of a

user's preferences must also be regarded as personal data. The Inspection Service also

emphasises that the TC String as such does not contain any information relating directly or

indirectly to the taxonomy of the website to which the TC String refers. This last aspect

concerns an essential distinction between the preferences of the user that are collected in

the context of the TCF, and the personal data of that same user that are collected and

distributed within the OpenRTB system. In conclusion, the Inspection Service states that

the TC String values and the euconsent-v2 cookie do not in themselves allow the

identification of an individual user. Although both elements contain personal data, in the

sense that the information relates to one natural person, the Inspection Service also

confirms that it is not possible to identify the specific data subject on the basis of that

information alone.

160. During the hearing, the defendant raised a procedural point, namely that the Litigation

Chamber is not permitted to rule on the complainants' submission before an analysis has

been carried out on the consistency of their written submissions in comparison with the

complaints. The defendant also requests that the Litigation Chamber rule on the necessity

ofrequesting asupplementaryinvestigationbythe InspectionService, asallegedlyrequired

by Article 57.1.f GDPR. The Litigation Chamber will decide on this procedural point in the

present decision .3

42
TermsandConditionsfortheIABEuropeTransparency &ConsentFramework("TermsandConditions")(Exhibit33),p. 7.
43See para. 174 et seq. of this decision.

36, 161. The complainants responded orally to the defendant's procedural arguments during the

hearing.

162. With regard to the timing of the TC String generation, the defendant emphasises that the

capture of the exact creation time cannot lead to the uniqueness of a TC String, as there is

a chance that two unidentified users may give the same preferences at the same time.

Moreover, this timestamp aloneis notsufficientto speak of auniquestring, sincethevalues

of the TC String are not persistent and may vary over time or according to the visited

websites.

163. The defendant also states that the global consent cookies scenario, in which the

preferences stored in one TC String apply across several websites, is not relevant in view of

the limited scope at the time of the hearing , as well as the intention of IAB Europe, as a

result of the finding that a global consent does not meet the requirement of a specific

consent , to stop supporting this functionality and to phase it out in the weeks following

the hearing.

164. As regards the question whether the allocation of a subdomain of consensu.org to CMP by

means of a DNS delegation can be regarded as a determination of the means of processing,

the defendant submits that, as a result of the DNS delegation, each subdomain refers to

servers of the CMPs, which are moreover the only ones able to read the TC Strings from the

users' devices. In addition, the defendant submits that the registration of a subdomain of

consensu.org is purely optional and, as such, does not constitute an essential means of

processing.

165. The complainants emphasise, on the other hand, that a DNS delegation can always be

reversed by the defendant, and that it is irrelevant that the defendant does not have access

to the euconsent-v2 cookies. The complainants also point out that the DNS delegation can

be regarded as an essential means of processing, since the DNS delegation is used to

distribute the TC String further through the TCF ecosystem.

166. Concerning the existence of interfaces between the TCF and OpenRTB, the complainants

stress thatboth systems are inherently intertwined becauseof thelink between, on theone

hand, the TC String that the CMPs generate according to the instructions of the TCF and,

on the other hand, bid requests, which are regulated by the OpenRTB. In other words, the

latter are used as vehicles to spread the TC String throughout the OpenRTB ecosystem.

44According to the defendant, the number of globally scoped consents was at most 0.5% of all consent and preferences
collected worldwide.
45
Article 4.11 GDPR: "consent" of the data subject means any freely given specific, informed and unambiguous expression
ofwillbywhichthedatasubjectaccepts,bydeclarationorunambiguousactiveact,theprocessingofpersonaldatarelating
to him or her.

37,167. The defendant states that both systems can function independently and that the TCF was

developed with OpenRTB as a starting point and could be used in that context, as OpenRTB

is the most widely used standard in the industry. According to the defendant, this does not

mean that the TCF is an essential means of using OpenRTB.

168. The defendant argues that the elaboration by the defendant of a future Code of Conduct in

relation to the TCF cannot be regarded as proof of its (shared) responsibility for the

processing of personal data in the context of the TCF. Complainants add that it is

impossible to verify compliance with the GDPR by participating organisations, even if the

rules are clearly defined in an enforcement policy.

169. In this regard, the defendant refers to the development and gradual implementation of

automated compliance programmes to monitor the extent to which CMPs and advertisers

(as well as other adtech vendors) comply with the TCF Policies, including future internal

audits of the processes at the aforementioned parties. The defendant also emphasises that

the TCF already provides for sanctioning measures against adtech vendors that do not

adhere to the framework, such as temporary suspensions of their participation in the TCF.

170. With regard to the link between the TC String and the individual user, the defendant takes

the view that the TCF does not determine how this is done, nor how the TC String is

subsequently communicated to the adtech vendors, as these elements are entirely subject

to the OpenRTB specification.

171. The defendant clarifies that the use of the consensu.org domain is purely optional, and

moreover, this domain was not developed for the purpose of processing or storing logs

related to the TC Strings.

172. Finally, the defendant emphasises its position that the TC String only constitutes personal

data after it has been linked in the context of the OpenRTB to a bid request which already

contains personal data.

173. On9 August2021, after deliberation, the Litigation Chamber decides to reopenthedebates

on specific procedural arguments of IAB Europe.

174. On 23 August 2021, the Litigation Chamber received the first submissions from the

defendant. The defendant states that the DPA infringed Article 57.1.a and 57.1.f GDPR and

Article 94(3) DPA Act. The DPA also allegedly failed to comply with the principle of sound

administration and the defendant's rights of defence.

175. With regard to Article 57.1.f GDPR, the defendant first of all claims that the complainants

have submitted new allegations in their submission, which are thus more extensivethan the

original complaints. Moreover, according to the defendant, the DPA did not proactively

investigate these new allegations by charging the Inspection Service with a new or

38, supplementary investigation. As a result, the defendant considers that the DPA has failed

to fulfil its duties under Article 57.1.f GDPR.

176. Furthermore, the defendant claims that, by requesting an initial investigation from the

InspectionService, the LitigationChamber has defacto bound itselfto aprocedureinwhich

every allegation or defence must be investigated by the Inspection Service. According to

the defendant, the decision of the Litigation Chamber not to request a supplementary

investigation after an initial investigation and the submission of the defences led to an

infringement of Article 94(3) DPA Act.

177. The defendant also states that, in the absence of an investigation by the Inspection Service

into supposed new allegations in the complainants' defences and a legal classification of

those allegations, it was unable to defend itself adequately against the complaints made

againstIABEurope.Thus,theprocedurebeforethe LitigationChambercouldbeconsidered

to have evolved from an inquisitorial to an adversarial procedure in which the Litigation

Chamber would no longer have acted as an administrative dispute resolution body, taking

mainly into account the claims and documents of the complainants, with the result that the

rights of defence of IAB Europe have been violated, according to the defendant.

178. On 6 September 2021, the Litigation Chamber received the complainants' submission. The

complainants consider, first of all, that the defendant's new pleas exceeded the limited

scope of the reopened debates.

179. Secondly, the complainants argue that the nature of the proceedings has not changed in

any way, as the proceedings were started because of complaints made to the DPA, in other

words, as an adversarial procedure, and have remained so throughout.

180. Thirdly, the complainants refer to Articles 63(2) and 94 DPA Act, as a counter-argument to

the assertion that the Litigation Chamber should have had the Inspection Service examine

each of the pleas raised by the complainants. After all, these provisions provide the

Litigation Chamber with a discretionary power to decide whether or not an (additional)

investigation by the Inspection Service is necessary.

181. Furthermore, the complainants argue that it is impossible for the Litigation Chamber to

have an investigation or supplementary investigation carried out by the Inspection Service

after the parties' submissions and exhibits, taking into account the time limit of 30 days

after, respectively, the referral to the Litigation Chamber by the First Line Service following

the lodging of the complaint, or the Litigation Chamber's reception of the Inspection

Service's initial investigation report, under Article 96 of the DPA Law.

182. With regard to the defendant's argument that the way the Litigation Chamber handled the

case violates Article 57.1.f GDPR, the complainants point out that, first of all, this provision

has no direct effect in the sense that the defendant can derive rights from it. The

complainants also argue that this provision cannot affect the internal structure and

39, functioning of the supervisory authorities, which, with regard to the DPA and, more

specifically, the division of powers between its Inspection Service and its Litigation

Chamber, are subject to Belgian administrative (procedural) law.

183. Furthermore, thecomplainantsstatethatArticle57.1.fGDPRdoes notreferto anobligation

on the part of the Litigation Chamber to request an investigation by the Inspection Service

into the complaints, but to the power of the supervisory authorities to close the case.

184. In addition, the complainants argue that the decision of the Litigation Chamber to request

an investigation from the Inspection Service in no way prevents it from relying on the

submissions and exhibits submitted by the parties, contrary to the defendant's position.

185. As regards the defendant's alleged failure to comply with the principle of due care, the

complainants submit that the Litigation Chamber is required under that principle to study

properly all the exhibits in the file so that its decision is based on a correct and complete

presentation of the facts. However, this principle again does not imply in any way that the

LitigationChamber must havea(supplementary) investigationcarried outby the Inspection

Service for every exhibit.

186. As regards the defendant's rights of defence, the complainants maintain that, on the basis

of the Inspection Service's various investigative reports and the submissions and exhibits

submittedbythecomplainants,thedefendantwas adequatelyinformedoftheallegedfacts

and infringements of law. Also, according to the complainants, the defendant was given

sufficient opportunity to defend itself in writing against the legal and factual allegations

made by the complainants, given that the defendant was offered two rounds of

submissions.

187. Finally, the complainants refer to the lack of concrete examples, in the defendant's latest

submissions, of alleged new allegations on which the defendant was unable to conclude or

which were not investigated by the Inspection Service.

188. On 13 September 2021, the Litigation Chamber received the defendant's response.

189. According to the defendant, only the inspection report determines the extent of the

allegations, provided that the inspection report is meaningful and based on a

comprehensive examination of the facts. Furthermore, the defendant submits that the

decisionofthe LitigationChamber to requestaninvestigationby the Inspection Service has

resulted in the procedure as a whole becoming an "inquisitorial" procedure, irrespective of

whether the procedure has its origin in the complaints filed with the DPA. According to the

defendant, the decision of the Litigation Chamber not to subsequently request a

supplementary investigation and to base the further proceedings solely on the parties'

submissions and exhibits amounts to a breach of its rights of defence.

40, 190. In addition, the defendant is of the opinion that the period of thirty days provided for in

Article 96(1) DPA Act does not apply to the request by the Litigation Chamber to have a

supplementary investigation carried out by the Inspection Service.

191. The defendant bases that reasoning on the distinction made in general administrative law

between expiry periods and periods of order. In particular, the defendant takes the view

that, in the absenceofformal provisions inthe DPA Act to the effectthatexceeding the30-

day time limit results in a loss of jurisdiction for the Litigation Chamber, the time limits

provided for in Article 96 must be complied with, although not on pain of invalidity of the

decision rendered too late. According to the defendant, the Litigation Chamber therefore

remains competent to make a decision for supplementary investigation even after the

expiry of the 30-day period of order. That interpretation, the defendant argues, is in fact the

result of the greater importance of the right to a defence over the right to expeditious

proceedings before the Litigation Chamber.

192. As regards the direct effect of Article 57.1.f GDPR, the defendant submits that the

existence of a margin of appreciation for the Member States does not exclude the direct

effect of a provision, but implies an examination of whether that provision is intended to

provide a guarantee for the parties. The defendant takes the view that Article 57.1.f GDPR

fulfils this requirement and clarifies that its argument for requesting an supplementary

investigation is furthermore limited to an assessment in fact and in law of the supporting

points in the proceedings.

193. In conclusion, the defendant states that it has not received a clear statement of the nature

and scope of the charges, except for the allegations made in the complainants' defences. In

that regard, the defendant submits that the technical inspection reports contain merely

technical descriptions, in which, moreover, the TC String is not mentioned anywhere. In

Section A.9. - Procedural objections raised by the defendant, the Litigation Chamber will

demonstrate why the procedural rights, including those relating to the specificity of the

charges, were sufficiently respected.

A.9. - Procedural objections raised by the defendant

A.9.1. - Infringements of procedural rules applicable to the inspection report and of

fundamental rights and freedoms of IAB Europe

a. Inadmissibility of the complaints

194. The defendant first of all argues that some of the complaints were filed in English and

therefore do not meet the formal admissibility requirements set out in Article 60 DPA Act.

41,195. In addition, the defendant takes the view that some of those filing the complaints cannot be

regarded either as "complainants" or as "parties" within the meaning of Articles 93, 95, 98

and 99 DPA Act, with the result that their submissions must be excluded from the debates

and cannot be taken into account.

196. Finally, the defendant asserts that themeasures that theDPAcanimposeunder Article100

of the DPA Act do not provide any benefit to these complainants.

197. IAB Europe thus considers that the case was unlawfully initiated - in particular on the basis

of several inadmissible complaints - with the result that the claims against IAB Europe must

be rejected and cannot lead to the imposition of a valid sanction or corrective measure on

IAB Europe.

Position of the Litigation Chamber

198. The Litigation Chamber refers to Article 77.1 of the GDPR, according to which data subjects

have the right to lodge a complaint in the Member State where they usually reside, have

their place of work or where the alleged infringement was committed. The four complaints

in English referred to by the defendant were not lodged directly with the DPA, but with the

national supervisors with jurisdiction for each of the complainants, in accordance with the

locally applicable language legislation. In casu, the four complaints have been filed

respectively with the Polish supervisory authority, with the Slovenian SA, with the Italian SA

as well as with the Spanish SA, which then referred these complaints to the Belgian DPA as

the lead supervisory authority, in accordance with the cooperation procedure provided for

under Article 56 GDPR.

199. The formal admissibility requirements provided for under Article 58 DPA Act, and more

specifically the requirement that a complaint be drawn up in one of the national languages,

only apply to complaints filed directly with the DPA. Any other view would erode the

effective operation of the right to complain, one of the core elements of the GDPR. Indeed,

a complainant who submits his complaint to an authority of a Member State cannot be

expected to submit it in the language of the Member State of the lead authority, if that is

different from the authority to which he submits his complaint. It follows that the four

complaints in question were validly filed with the DPA.

200. In relation to the lack of interest of Fundacja Panoptykon, as well as other complainants, in

the complaints lodged through the European "one-stop shop" mechanism, raised by the

defendant, the Litigation Chamber notes that Fundacja Panoptykon lodged the complaint

withthePolishsupervisoryauthorityonbehalfofMs KatarzynaSzymielewiczinaccordance

with Article 80.1 GDPR. On the basis of this provision, the complainant has the right to

instruct Fundacja Panoptykon to lodge the complaint on its behalf.

42,201. The Litigation Chamber notes that IAB Europe does not explain at all why Fundacja

Panoptykon should not be considered a complainant and party here. In addition, in the

absence of doubts whether the other complaints were admissible, the argument by the

defendant would not make any difference towards the outcome of this decision.

202. This argument must therefore be rejected.

b. The inspection report is not properly reasoned

203. The defendant then goes on to address the inadequate reasoning in the inspection report.

As a result of the lack of a clearly worded statement of reasons in the inspection report -

including the lack of a clearly identified data controller in connection with a clearly defined

data processing activity - the defendant argues that the inspection report not only infringes

the DPA's obligation to provide express and sufficient reasons for its decisions, but also

constitutes a clear breach of IAB Europe's rights of defence. Consequently, the inspection

report infringes IAB's rights of defence as laid down in Article 6 ECHR and Article 47 of the

Charter of Fundamental Rights.

Position of the Litigation Chamber

204. IAB Europe's claim that the Inspection Service's report of 13 July 2020 is not sufficiently

reasoned is incorrect. As can also be seen from the reflection of this Inspection Report in

this decision, the Inspection Report contains detailed reasoning.

205. Furthermore, IAB Europe overlooks the fact that, in addition to the report of 13 July 2020,

the Inspection Service produced other very extensive and detailed technical reports

(Exhibits 24 and 53). Finally, the Litigation Chamber points to the extensive written and oral

exchange of views between the parties before its Chamber. IAB Europe's simple assertion

of failure to respect its rights of defence is therefore without merit, as set out in the

following paragraphs.

c. Incompleteness and bias of the inspection report

206. The defendant refers to Article 58.4 GDPR, which provides that the procedure before the

DPA must be conducted in compliance with "appropriate safeguards, including [...] the due

process of law". According to the defendant, that principle applies equally to the

investigation carried out by the Inspection Service and to the findings set out in the

inspection report.

207. Referring to the similarities with the role and duties of a prosecutor in ordinary criminal

proceedings, the defendant claims that the basic principles of loyalty, impartiality and

independence also apply to the InspectionService. Thedefendant refers to SectionIV of its

submission and considers that relevant exculpatory elements, of which the Inspection

Service was or should have been aware, are missing from the inspection report.

43, 208. The defendant, emphasising that the DPA is obliged to maintain the presumption of

innocence of a defendant at all times, including during the investigative phase of

proceedings which may lead to penalties of a criminal nature within the meaning of Article

6 ECHR, considers that its presumption of innocence has been infringed and that the claims

against IAB Europe must therefore be dismissed.

Position of the Litigation Chamber

As regards the autonomy of the Litigation Chamber from the other bodies of the

DPA, including the Inspection Service

209. The Litigation Chamber first notes that the defendant seems to confuse the role and

prerogatives of the Litigation Chamber with those of the other bodies of the DPA.

210. As indicated above, the Litigation Chamber is the administrative disputes body of the DPA

pursuant to Article 33(1) DPA Act. The provisions governing the procedure before the

Litigation Chamber (see Articles 92 to 100 DPA Act) do not show that it is in any way bound

by the findings of any other body of the DPA. Consequently, the Litigation Chamber is not

bound by the findings of the Inspection Service.

211. It is also recalled that the Inspection Service submitted not one but several detailed and

technical reports clearly setting out the deficiencies attributable to the defendant and

substantiating its position with the help of legislative, jurisprudential and factual sources, as

the complainants point out. The defendant had access to those reports. Moreover, the

defendant responded in detail to the reports of the Inspection Service.

212. The defendant further submits that the Inspection Service's report of 13 July 2020 is not

exculpatory, but merely incriminating, because the report does not contain "certain

exculpatory elements" of IAB Europe. The defendant also refers, without further

specification,toSectionIVofitssubmission,inwhichitsetsoutitsargumentsonthemerits.

Inthe absenceofmoredetailed informationontheexculpatory elements that were omitted

from the abovementioned report of the Inspection Service, that complaint must be

rejected.

213. The Litigation Chamber notes that even if the defendant's argument were to be followed,

quod non, it could nevertheless be concluded, as the Market Court has already indicated,

that the proceedings before the Litigation Chamber were not unlawful in so far as both

parties were given the opportunity to put forward their arguments in their submissions . In

view of the complexity of the system, the Litigation Chamber was not able to specify every

technical aspect of the system against which charges were brought against the defendant

46Market Court, 2019/AR/741, 12 June 2019, p. 12, available on thewebsite of the DPA.

44, at the outset of the proceedings before the Litigation Chamber, on 13 October 2020, i.e. at

the time when the parties were invited to present their written submissions (art. 98 DPA

Act). However, in order to ensure the procedural rights of the parties, the Litigation

Chamber firstly ensured that the defendant had sufficient opportunities to present its

arguments before the Litigation Chamber, and secondly, that it remained within the scope

of the initial complaints and the Inspection Services' reports, communicated to both parties

prior to their written submissions.

As regards the legal framework for the Inspection Service's investigations

214. It should also be recalled that the Inspection Service may conduct any investigation, hold

any hearing and collect any information it deems useful in the course of its duties in order

to ensure compliance with the fundamental principles of personal data protection . 47

215. TheLitigationChamber also points outthattheintervention of the Inspection Service inthe

proceedings consists of recording findings and that it has no power to impose penalties.

216. Contrary to the defendant's contention, the Inspection Service is not an administrative

authority of criminal law within the meaning of Article 6 of the European Convention on

Human Rights (hereinafter: "ECHR"), as it has no power to impose penalties and its task is

limited to making findings and transmitting them to the Litigation Chamber in its report. As

indicated above , the findings of the Inspection Service are only elements on which the

Litigation Chamber bases its decision at a later stage of the proceedings. Nevertheless, the

Litigation Chamber emphasises that the Inspection Service's investigation in the present

case was conducted in an impartial manner, in accordance with the requirements of Article

6 ECHR and Article 47 Charter. It disagrees with suggestions made by the defendant in so

far as they call into question the impartiality of the Inspection Service.

On respect for the right to a fair trial, including the right to a defence before the

Litigation Chamber

217. The Litigation Chamber agrees with the defendant on the importance of applying

procedural safeguards relating to due process in the disputes before it.Itis also established

that these principles are effectively applied before the Litigation Chamber.

47Cf. Art. 64 DPA Act: "The Inspector General and the inspectors shall exercise the powers referred to in this Chapter for
the purpose of supervision as provided for in Article 4(1) of this Act". Also see Art. 72(1) DPA Act: "Without prejudice to the
provisions of this Chapter, the Inspector General and the inspectors may conduct any enquiry, control or audit, as well as
collectanyinformationthey consideruseful inordertoensurethatthefundamentalprinciplesoftheprotectionofpersonal

data,withintheframeworkofthisActandthelawscontainingprovisionsrelatingtotheprotectionofprocessingofpersonal
data, are effectively respected" (emphasis added).
48See para. 209-210 of this decision.

45, 218. As set out above , the defendant's complaint concerning the alleged lack of reasoning and

impartiality of the Inspection Service's report, on which the defendant relies to conclude

that its right to a fair trial has been violated, must be rejected.

219. For the sake of completeness, the Litigation Chamber also points out that the Market Court

has already ruled that — in the event that the procedural safeguards in the earlier stage of

the proceedings were not guaranteed, quod non — parties have an adequate remedy

against decisions of administrative bodies, in particular through the possibility of appeal to

the Market Court . 50

220. The Market Court added that a lack of impartiality on the part of an administrative authority

does not necessarily constitute an infringement of Article 6.1 ECHR if a judicial authority

with full power of review, which itself respects the guarantees of Article 6.1 ECHR, can

review the decision at issue.

221. According to the Market Court, an infringement of the principle of impartiality of the

administration at an earlier stage does not necessarily entail a breach of the right to a fair

trial if thatinfringement canberemedied atasubsequentstage.Thepossibility ofan appeal

to acourt thatrespects theguarantees ofArticle6 ECHR is intended to allowpreciselysuch

corrections .51

222. Specifically with regard to the Litigation Chamber, the Market Court ruled as follows:

"[...] even then, this legal protection by the legal subject is only legally enforceable before a

judge (who is part of the judiciary) [...]. The legal possibility of bringing an action/recourse

before the Market Court is intended to provide the litigant with the guarantee of Article 6.1

ECHR and, more particularly, with the remedy provided for in Article 47 CFREU [Charter of

Fundamental Rights of the European Union]". 52

223. Therefore, in the absence of impartiality on the part of the Litigation Chamber, which is not

the case here, and inso far as theMarketCourt exercises full judicial reviewof thedecisions

of the Litigation Chamber, it cannot be concluded, ipso facto, that the right to a fair hearing

in the proceedings has been infringed.

49See para. 204 et seq. of this decision.
50
"The legislator has given the citizen a conclusive legal remedy against the conduct of administrative bodies (in this case
the DPA) by providing precisely recourse to the Market Court", Court of Appeal Brussels, Market Court section, 19 th
Chamber A, Market Court section, 2019/AR/741, 12 June 2019, p. 9. The judgements of the Market Court are available on
the website of the DPA in their original language (Dutch or French).

5"A lack of objective or structural impartiality on the part of an administrative authority does not necessarily constitute an
infringement of Article 6.1 ECHR if the decision of that authority can subsequently be reviewed by a court of law with full
jurisdiction and which offers all the guarantees provided for in Article 6.1. Consequently, an infringement of the principle of
impartiality at an earlier stage does not necessarily lead to a denial of the right to a fair trial if that infringement can still be

rectified at a later stage. The organisation of an appeal to a body that meets all the safeguards of Article 6 ECHR serves to
make such redress possible", Court of Appeal of Brussels, Market Court Section, 19 Chamber A, Market Cases Chamber,
2019/AR/741, 12 June 2019, p. 10.
52
Court of Appeal of Brussels, Market Court Section, 2020/AR/329, 2 September 2020.

46, 224. For the sake of clarity and information, the Litigation Chamber notes that while the right to

a defence forms part of the fundamental rights that constitute the legal order of the Union

53
and are enshrined in the Charter , the fact remains that, as the CJEU has held, the various

components of the right to a fair trial, including the right to a defence, are not absolute in

nature and that any restriction may be possible for a public interest purpose. This

assessment must be made in concreto:

“However,theCourthasalreadyruledthatfundamentalrights,includingrespectfortheright

to a defence, are not absolute but may include restrictions, provided that they genuinely

meet the objectives of general interest pursued by the measure in question and that, having

regard to the objective pursued, they cannot be regarded as constituting a disproportionate
and intolerable interference impairing the very substance of the rights guaranteed [...].

34. Moreover, whether the right to a defence have been infringed must be assessed in the

light of the specific circumstances of each case [...]” .

A.9.2. - Infringements of the fundamental rights and freedoms of IAB Europe with regard to

the general nature of the procedure for the DPA

a. Administrative penalties and Articles 6 and 7 ECHR and Article 47 of the Charter of

Fundamental Rights of the European Union

225. The defendant submits that the measures and fines which the DPA is authorised to impose

in the context of Articles 100 and 101 DPA Act, read in conjunction with Article 83 GDPR,

must be classified as penalties of a criminal nature within the meaning of international

humanrights conventions such as theECHR and the Charter of Fundamental Rights, having

regard to the very nature of the offences and the nature and severity of the penalties which

may be imposed on a party. As a result, according to the defendant, Articles 6 and 7 ECHR

and Article 47 Charter of Fundamental Rights are applicable to the penalties which the DPA

may impose on IAB Europe.

226. The defendant then considers that the wide margin between the minimum and maximum

amount of administrative penalties of a criminal nature, which, moreover, according to the

defendant, puts all infringements on an equal footing while failing to specify the severity of

the penalties in the law itself, is contrary to the fundamental principles of substantive

legality and proportionality. The same reasoning applies to Articles 100 and 101 DPA Act, in

conjunction with Article 83 GDPR, which, due to their imprecise and ambiguous wording, do

53In this regard, see CJUE, 18 July 2013, Commission and Others v Kadi, C- -584/10 P, C- -593/10 P and C- -595/10 P,

ECLI:EU:C:2013:518, points 98 and 99.
54CJEU, 10 September 2013, C-383/13 PPU, Affaire G. etR., ECLI:EU:C:2013:533, points 33 s.

47, notallowapartyto appropriately assessthecriminallawconsequencesofacertainconduct

prior to its occurrence.

227. It would therefore follow that Articles 100 and 101 DPA Act, in conjunction with Article 83

GDPR, are contrary to the fundamental principles of substantivelegality and proportionality

laid down in Articles 6 and 7 of the ECHR and Article 47 of the Charter of Fundamental

Rights. For those reasons, the defendant considers that Articles 100 and 101 DPA Act, read

in conjunction with Article 83 GDPR, cannot constitute a valid legal basis for the DPA to

impose a sanction on IAB Europe.

Position of the Litigation Chamber

228. First of all, the power to impose an administrative fine and the modalities of its application

are laid down in the directly effective Article 83 of the GDPR. In line with the case law of the

Market Court, the Litigation Chamber finds that administrative fines, together with the

other corrective measures provided for in Article 58 GDPR, form a powerful part of the

enforcement tools available to the DPA . 55

229. If the DPA finds one or more infringements of the regulations, it must determine the most

appropriatecorrectivemeasure(s) to address thatinfringement.The measures availablefor

this purpose are listed in Article 58.2.b to 58.2.j GDPR. In particular, Article 58.2.i GDPR

provides that the supervisory authority has the power, depending on the circumstances of

each case, to impose, in addition or instead of the measures referred to in this paragraph,

an administrative fine pursuant to Article 83 GDPR. This means that an administrative fine

can be both a stand-alone (corrective) measure and a measure taken in conjunction with

other corrective measures (and is therefore a kind of complementary measure). The

criminal provisions of Sections 83.4 to 83.6 GDPR allow the imposition of an administrative

fine for most infringements. Nevertheless, the supervisory authority has the responsibility

to always choose the most appropriate measure(s) . 56

230. In addition to the relevant provisions of the GDPR and the DPA Act on the level of

administrative fines that the Litigation Chamber may impose, the Litigation Chamber also

relies on the case law of the Market Court , which formulates requirements on the

predictability and reasoning of administrative fines imposed by the Litigation Chamber. For

example, this case law has resulted in a form notifying the intention to impose a sanction

being submitted to the party concerned, who may react to it and send its comments to the

55Court of Appeal Brussels, Market Court Section, 2021/AR/320, 7 July 2021, p. 38.
56Ibidem.
57
Among others, judgments of 19 February 2020 (2019/AR/1600), of 24 January 2021 (2020/AR/1333) and of 7 July 2021
(2021/AR/320).

48, Litigation Chamber before it takes a decision. Accordingly, in the present procedure, this

form was sent and the defendant submitted a reaction . 58

231. The Litigation Chamber also refers to the case law of the Market Court, which determined

that the GDPR does not provide for a specific fine tag or range for specific infringements,

but only an upper limit or maximum amount. In practice, this means that the DPA can decide

not only not to impose a fine on the offender, but also that, if it decides to impose a fine, it

shall be between the minimum, starting at 1 EUR, and the maximum foreseen. The fine shall
59
be decided by the DPA taking into account the criteria listed in Article 83(2) GDPR .

232. Furthermore, the Litigation Chamber also follows the Article 29 Data Protection Working

Party's guidelines on the application and setting of administrative fines under the GDPR,

endorsed by the EDPB , which detail the criteria of Article 83(2) GDPR that a supervisory

authority must apply when assessing whether to impose a fine, as well as the amount of the

fine.

233. Furthermore, these guidelines also contain an explanation of Article 58 GDPR relating to

the measures that a supervisory authority may choose to take, as the remedies are

inherently different in nature and essentially have different purposes. Finally, it specifies

that certain measures under Article 58 GDPR may be cumulative and thus constitute a

regulatory action based on several remedies.

234. The Market Court, ruling with full jurisdiction, performs a legality and proportionality test of

the sanction and will (only) reduce or cancel the fine in case of serious and proven

circumstances that the Litigation Chamber would not or not sufficiently take into account.

235. In short, this system sufficiently guarantees that the fundamental legal principles arising

from Article 6 of the ECHR and Article 47 of the Charter are complied with.

Legal framework for administrative fines

Relevant provisions in the DPA Act

236. Pursuant to Article 100(1)(13) of the DPA Act, the Litigation Chamber has the power to

impose administrative fines. The Litigation Chamber may decide to impose an

administrative fine on the prosecuted parties in accordance with the general terms and

conditions set out in Article 83 GDPR.

237. Pursuant to Article 103 DPA Act, if an offender has committed several infringements by

means ofthesameactonly theheaviestadministrativefineoftherespectiveinfringements

58See para. 272-273.
59Court of Appeal Brussels, Market Court Section, 2021/AR/320, 7 July 2021, p. 42.
60
EDPB - Guidelines on the application and setting of administrative fines for the purposes of Regulation (EU) 2016/679,
WP253, published on http://www.edpb.europa.eu.

49, shall apply. In the event of overlapping infringements, the rates of the administrative fines

shall be added together without the total amount exceeding twice the highest amount of

the fine applicable to the infringements committed.

Relevant provisions in the GDPR

238. Once an infringement of the Regulation has been established, based on the assessment of

the facts of the case, the competent supervisory authority should determine the most

appropriate corrective measures to address the infringement. The provisions of Article

58(2)(b)-(j)61 set out the tools that supervisory authorities can use to address non-

compliance by a data controller or processor.

a. to issue warnings to a data controller or processor that intended processing

operations are likely to infringe provisions of this Regulation;

b. toissuereprimandstoadatacontrolleroraprocessorwhereprocessingoperations

have infringed provisions of this Regulation;

c. to order the data controller or the processor to comply with the data subject's

requests to exercise his or her rights pursuant to this Regulation;

d. to order the data controller or processor to bring processing operations into

compliance with the provisions of this Regulation, where appropriate, in a specified

manner and within a specified period;

e. to order the data controller to communicate a personal data breach to the data

subject;

f. to impose a temporary or definitive limitation including a ban on processing;

g. to order therectificationor erasureofpersonal data or therestrictionofprocessing

pursuant to Articles 16, 17 and 18 GDPR, as well as the notification of such actions

to recipients to whom the personal data have been disclosed, in accordance with

Articles 17(2) and 19 GDPR;

h. to revoke a certification, or order the certification body to revoke a certification

issued under Articles 42 and 43 GDPR, or order the certification body not to issue

a certification if the certification requirements are no longer fulfilled;

i. depending on the circumstances of each case, in addition to or instead of the

measures referred to in this paragraph, to impose an administrative fine pursuant

to Article 83 GDPR; and;

61Article58(2)(a) states thata warning may be issued. In other words, in the case to which theprovision relates, there is not
yet a breach of the regulation.

50, j. to order the suspension of data flows to a recipient in a third country or to an

international organisation.

239. The power to impose an administrative fine is regulated in Article 83 GDPR, which reads as

follows:

“General conditions for the imposition of administrative fines

1.Eachsupervisoryauthorityshallensurethattheimpositionofadministrativefinespursuant

tothisArticleinrespectofinfringementsofthisRegulationreferredtoinparagraphs4,5and
6 shall in each individual case be effective, proportionate and dissuasive.

2. Administrative fines shall, depending on the circumstances of each individual case, be
imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article

58(2). When deciding whether to impose an administrative fine and deciding on the amount

of the administrative fine in each individual case due regard shall be given to the following:
a) the nature, gravity and duration of the infringement taking into account the nature
scope or purpose of the processing concerned as well as the number of data subjects

affected and the level of damage suffered by them;

a) the intentional or negligent character of the infringement;
b) any action taken by the controller or processor to mitigate the damage suffered by
data subjects;

c) the degree of responsibility of the controller or processor taking into account technical
and organisational measures implemented by them pursuant to Articles 25 and 32;
d) any relevant previous infringements by the controller or processor;
e) the degree of cooperation with the supervisory authority, in order to remedy the

infringement and mitigate the possible adverse effects of the infringement;
f) the categories of personal data affected by the infringement;
g) the manner in which the infringement became known to the supervisory authority, in

particular whether, and if so to what extent, the controller or processor notified the
infringement;
h) where measures referred to in Article 58(2) have previously been ordered against the

controller or processor concerned with regard to the same subject-matter, compliance
with those measures;
i) adherence to approved codes of conduct pursuant to Article 40 or approved
certification mechanisms pursuant to Article 42; and

j) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits gained, or losses avoided, directly or indirectly, from the
infringement.

3. If a controller or processor intentionally or negligently, for the same or linked processing

operations, infringes several provisions of this Regulation, the total amount of the
administrative fine shall not exceed the amount specified for the gravest infringement.

4. Infringementsofthe followingprovisionsshall, in accordance withparagraph 2, be subject
to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of

the total worldwide annual turnover of the preceding financial year, whichever is higher:

b) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39
and 42 and 43;
c) the obligations of the certification body pursuant to Articles 42 and 43;
d) the obligations of the monitoring body pursuant to Article 41(4).

5. Infringementsofthe followingprovisionsshall, in accordance withparagraph 2,be subject
to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of

the total worldwide annual turnover of the preceding financial year, whichever is higher:

51, a) the basic principles for processing, including conditions for consent, pursuant to
Articles 5, 6, 7 and 9;
b) the data subjects’ rights pursuant to Articles 12 to 22;

c) the transfers of personal data to a recipient in a third country or an international
organisation pursuant to Articles 44 to 49;
d) any obligations pursuant to Member State law adopted under Chapter IX;

e) non-compliance with an order or a temporary or definitive limitation on processing or
the suspension of data flows by the supervisory authority pursuant to Article 58(2) or
failure to provide access in violation of Article 58(1).

6. Non-compliance with an order by the supervisory authority as referred to in Article 58(2)

shall, in accordance with paragraph 2 of this Article, be subject to administrative fines up to

20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual
turnover of the preceding financial year, whichever is higher.

7. Without prejudice to the corrective powers of supervisory authorities pursuant to Article
58(2), each Member State may lay down the rules on whether and to what extent

administrative fines may be imposed on public authorities and bodies established in that
Member State.

8. The exercise by the supervisory authority of its powers under this Article shall be subject
to appropriate procedural safeguards in accordance with Union and Member State law,

including effective judicial remedy and due process.

9. […]”

240. A reading of points (a) to (k) of Article 83(2) GDPR, as well as the additional explanations in

paragraphs 3 to 6 of that same provision, is sufficient to refute the defendant's argument

that the various offences listed in Article 83 RGPD are placed on an equal footing.

241. The various criteria to assess the severity of the penalties are clearly set out in Article 83

itself and in recitals 148 to 150 GDPR. Article 83.2 also makes it clear that an analysis must

be made "according to the circumstances of the case".

242. The Litigation Chamber already referred to the Guidelines on the application and setting of

administrative fines under the GDPR, endorsed by the EDPB. These Guidelines provide

guidance on the interpretation of the individual facts of the case in the light of the criteria

set out in Article 83.2 GDPR. The Guidelines bind the Litigation Chamber as an organ of the

DPA, a member of the EDPB.

243. In order to strengthen the enforcement of the rules of the GDPR, recital 148 GDPR clarifies

that penalties, including administrative fines, should be imposed for any breach of the

Regulation, in addition to or as an alternative to appropriate measures imposed by the

supervisory authorities under this Regulation. In a case of a minor infringement or if the fine

likely to be imposed would constitute a disproportionate burden to a natural person, a

reprimand may be issued instead of a fine. Due regard should however be given to the

nature, gravity and duration of the infringement, the intentional character of the

infringement,actionstakentomitigatethedamagesuffered,degreeofresponsibilityorany

relevant previous infringements, the manner in which the infringement became known to

the supervisory authority, compliance with measures ordered against the data controller or

52, processor, adherence to a code of conduct and any other aggravating or mitigating factor.

The imposition of penalties including administrative fines should be subject to appropriate

procedural safeguards in accordance with the general principles of Union law and the

Charter, including effective judicial protection and due process.

244. Contrary to what the defendant maintains, theGDPR does nottherefore imposeaminimum

amount of fine, but only maximum amounts which, depending on the infringements

committed, may amount to 2% or 4% of the turnover of a data controller, or EUR

10,000,000 or 20,000,000 respectively. These amounts are of a dissuasive nature, and it

is for the Litigation Chamber to modulate the amount of the fine according to the

circumstances of the case, taking into account the requirement of proportionality and with

a view to ensuring the effectiveness of the provisions of the GDPR.

245. Since the various offences listed in Article 83 GDPR are not treated in the same way and

since the various criteria to assess the severity of the penalties are clearly set out, the

defendant's argument that the combined reading of Article 83 GDPR and Articles 100 and

101 DPA Act infringes the principles of legality and proportionality, and thus Articles 6 and

7 ECHR and 47 of the Charter of Fundamental Rights of the European Union, because of its

vagueness must be rejected.

246. Article 83 GDPR is a directly effective provision of an EU Regulation and it is the task of the

Litigation Chamber to ensure the effective operation of this Regulation. It is not for the

Litigation Chamber, as a body of a national administrative authority, to rule on the possible

unlawfulness of that provision.

247. In addition, the Constitutional Court ruled in its judgment no. 25/2016, of 18 February 2016

(p24-28) that a single, wide margin for an administrative fine, allowing the administrative

authoritytoadjusttheadministrativefinetothegravityoftheinfringement,doesnotviolate

the principle of legality:

"B.18.2. [...] The principle of legality in criminal matters, which derives from the

aforementioned constitutional and treaty provisions, is also based on the idea that the

criminal law must be formulated in terms which enable any person, at the time when he

adopts a course of conduct, to determine whether that conduct is punishable or not and,

where appropriate, to know the sanction to be imposed. [...]

However, the principle of legality in criminal matters does not prevent the law from granting

the court discretion. Indeed, the general nature of the laws, the diverse situations to which

they apply and the evolution of the conduct they punish must be taken into account.

B.18.3. In the same way, to determine whether the ranges between the upper and lower

limits of the sentences considered by the ordering body are so broad as to infringe the
principle ofthe foreseeabilityofthe sanction, account must be takenofthe specific features

of the offences to which those penalties are attached. [...]

53, B.20.1. The assessment of the seriousness of a crime and of the severity with which the

crime may be punished is within the discretion of the competent legislature. It may impose
particularly severe penalties in cases where the offences may seriously affect the

fundamental rightsofindividualsand the interestsofthecommunity. Itistherefore upto the

competent legislator to establish the limits and amounts within which the discretion of the

courtandoftheadministrationmustbeexercised.TheCourtcouldonlyrejectsuchasystem

if it were manifestly unreasonable.

B.20.2. The ordering body cannot be blamed for wanting to rationalise and simplify the

environmental criminal law in force in the Region. In order to achieve that objective, it could

establish a single and sufficiently wide margin between the upper and lower limits of the

sanction, both for criminal penalties and for alternative administrative fines, in order toallow

the court or the administrative authority to adjust the sanction or the alternative
administrative fine to the seriousness of the crime.

B.20.3. With regard specifically to the offence of exceeding the noise standards laid down

by the Government, the contested provisions are addressed to persons subject to the law

whoareprofessionalsandcanassesswithsufficientaccuracytheseriousnessoftheoffence
they are committing and the corresponding severity of the sanction to which they are

subject. In addition, the choice of sanction must be justified, either by the judge or by the

administrative authority. In the latter case, the decision is subject to judicial review.

B.20.4. It follows from the foregoing that the contested provisions do not confer on the

courtoradministrativeauthorityanydiscretiongoingbeyondthelimitsofwhatispermissible
under the principle of the foreseeability of penalties

248. The defendant's argument that Articles 100 and 101 DPA Act in conjunction with Article 83

GDPR, which form the basis of the power of the Litigation Chamber to impose

administrative penalties and fines, infringe the principles of legality and proportionality and

thus the right to a fair hearing must therefore be rejected.

b. The internal rules of the DPA do not comply with the fundamental principle of the formal

legality of criminal sanctions, enshrined in Articles 12 and 14 of the Belgian Constitution

249. The principle of formal legality, enshrined in Articles 12 and 14 of the Belgian Constitution,

requires that the essential elements of the rules relating to the offences made punishable,

the nature and level of the sanction, and the procedure guaranteeing that the right to a

defence are safeguarded, be laid down by the Chamber of Representatives in accordance

with the legislative procedure laid down by the Belgian Constitution.

250. Since this principle applies not only to criminal penalties stricto sensu, but also to

administrative penalties of a criminal nature, it is fully applicable to the DPA sanctioning

procedure.

54,251. In this regard, the defendant submits that various aspects of the DPA sanctioning

procedure are not laid down in a legislative text - in particular, not in the DPA Act, but in the

Rules of Internal Procedure of 15 January 2019 (RIO).

252. As a result, the defendant considers that the current proceedings were conducted on the

basis of procedural rules that are contrary to Articles 12 and 14 of the Belgian Constitution

and therefore lack a valid legal basis, with the result that the complaints against IAB Europe

must be dismissed.

Position of the Litigation Chamber

253. The principle of legality means that the essential elements of an offence, such as its nature,

the level of punishment and the procedural guarantees relating to it, must be determined

by the legislator.

254. TheLitigationChamber notes thattheonly elements relating to theimpositionofa sanction

that are not contained in the GDPR, the DPA Act or the law of 30 July 2018, but in the Rules

of Internal Order (RIO) of the DPA referred to by the defendant, are by no means essential

elements for the imposition of fines. Indeed, it is not the nature of the fine, nor the sanction,

that is at issue, but elements of a secondary or organisational nature, for example, with

regard to the procedure to be followed in the absence of the president of the Litigation

Chamber (Article 44 RIO), or the number of members sitting per case (Article 43 RIO).

255. The Litigation Chamber also emphasises that the independence of a supervisory authority

under Article 51 et seq. GDPR means that the organisation of its processes, including for

example the assignment of members to a procedure, is at the discretion of the Data

Protection Authority, of course within the limits of the general principles of good

administration and the relevant national legislation.

256. The defendant's argument that the procedure before the Litigation Chamber infringes the

principle of legality is therefore rejected.

c. Appointment of members of the DPA violates Article 53 GDPR

257. The defendant claims that Article 39 DPA Act, which regulates the appointment of the

members of the Litigation Chamber, does not in any way clarify the modalities of the

appointment procedure. In particular, nowhere does it specify how the hearing of the

candidates should proceed, nor does the DPA Act require a written record of the hearing.

Moreover, the nomination takes place on the basis of a secret ballot and there are no

guarantees as to the adequacy of the information on the candidates provided to the

members of the Chamber of Representatives.

258. According to the defendant, the appointment of the members of the DPA, including the

members of the Litigation Chamber, therefore does not satisfy the requirements of Article

55, 53 GDPR, which provides that the appointment must be made 'by means of a transparent

procedure'.

259. In view of the foregoing, the defendant considers that the members of the Litigation

Chamber are notin apositionto makea legally valid decisionin relation to IAB Europeinthis

case. For those reasons also, the claims against IAB Europe should be dismissed.

Position of the Litigation Chamber

260. First of all, the Litigation Chamber points out that any imperfections in the appointment

procedure of the members of the DPA cannot form part of these proceedings and that the

parties cannot invoke a procedural interest in questioning the appointment procedure.

261. TheLitigationChamber reminds thatthe members ofthe LitigationChamber are appointed

by the House of Representatives and can only be removed from their positions by the

House. Thus, neither the Litigation Chamber nor the Market Court are competent to rule on

their appointment. In addition, the parties have no interests in requesting such a ruling.

262. Consequently, the Litigation Chamber rules that this plea is unfounded.

d. The way in which the DPA has handled this procedure is not in line with its duties and powers

under Article 57 GDPR

263. In conclusion, the defendant states, both in its initial submission and in the context of the

reopening of the debates, that the way in which the DPA, in addition to the original

complaint, also considers the additional complaints and grievances made by the

complainants, without the relevance of those additional allegations having been examined

by the Inspection Service, makes the defence of IAB Europe considerably more difficult.

264. IAB Europe considers that this approach is not only fundamentally incompatible with the

duties and responsibilities of a supervisory authority as defined in Article 57 GDPR, but also

has the effect that IAB Europe must only defend itself against the allegations contained in

the inspection report, as opposed to the subsequent allegations made by the complainants

in their subsequent submissions.

Position of the Litigation Chamber

265. The Litigation Chamber emphasises first of all that at no time did the defendant explain

which new allegations are the subject of their defences and as such would violate its rights

of defence. For this reason alone, the Litigation Chamber considers itself entitled to declare

the defendant's plea unfounded.

266. Secondly, the Litigation Chamber notes that the DPA Act in no way prescribes that the

LitigationChamber is bound by aninvestigationreport following an investigationrequested

to the Inspection Service. Indeed, it does not follow from any provision of the DPA Act that

the Litigation Chamber is denied the opportunity to take into account additional or

56, supplementary elements to the report of the Inspection Service, as long as the

consideration of these additional or supplementary elements is sufficiently justified in the

decision and the right of defence is sufficiently guaranteed.

267. The Inspection Service may in any case decide not to investigate certain disputed points, in

accordance with its prerogative under Article 64(2) DPA Act. In such a case, however, it

would be contrary to Article 57 GDPR as well as to the autonomy and independence of the

Litigation Chamber, as implemented by Articles 92 to 100 DPA Act, to simply bind the

Litigation Chamber to the findings of the Inspection Service, without taking into account

the elements put forward in the debates by the parties in the course of the proceedings and

in accordance with the right to be heard.

268. Thirdly, the Litigation Chamber rules that the alleged obligation to base debates on the

inspection report alone following an investigation by the Inspection Service does not apply.

The DPA Act does not provide anywhere that the Litigation Chamber should base its

decision solely on the inspection report or on the parties' submissions. It is appropriate for

a supervisory authority to also consult other bodies and sources in order to be able to

support its decisions if necessary.

269. With regard to the Inspection Service's assessment with a view to a supplementary

investigation, and in particular the nature of the time limits provided for in Article 96 DPA

Act, the Litigation Chamber is not convinced by the arguments put forward by the

defendant. In the present case, the parties have had ample opportunity to make their views

known to the Litigation Chamber and to the other party regarding the allegations and

charges, including the operation of the TCF, the processing of user preferences and

permissions in the TC String, as well as the interrelationship between the TCF and

OpenRTB.

270. In addition, the Litigation Chamber finds that there is no doubt about the crucial importance

of the TC String for the functioning of the TCF. As a result, the defendant could have

expected from thestart of theproceedings that the debates would focus on theprocessing

of data in the context of the TC String. Thus, there can be no question at all of new

allegations - in so far as they exist, given the lack of any concrete example with which the

defendant substantiated its plea - in the complainants' submissions, since they constitute

an explanationofthe operation of theTCF, whichis notdisputed as being at the heart of the

complaints against IAB Europe.

271. Bearing the above points in mind, the Litigation Chamber rules that this plea is insufficient

both in fact and in law.

57,A.10. - Sanction form, European cooperation procedure and publication of the decision

272. The procedure before the Litigation Chamber includes an exchange of written submissions

as well as an oral hearing of the parties involved, as normal steps towards a decision. If the

Litigation Chamber proposes, after deliberation, to impose a (punitive) sanction, the Market

Court requires the Litigation Chamber to provide the defendant with an opportunity to

respond to the intended sanctions, through a standard form covering the retained

infringements and the criteria for determining the amount of the fine. This opportunity for

contradiction, or right to be heard, pertains to the proposed sanctions only and is therefore

only communicated to the defendant.

273. A sanction form has been sent on 11 October 2021, informing the defendant of its

infringements against the GDPR as well as of the Litigation Chamber’s intent to impose

corrective measures and an administrative fine. IAB Europe submitted its response on

1 November, 2021. The defendant contests the calculation of the administrative fine, by

claiming that the Litigation Chamber did not consider all relevant elements for determining

the amount of the administrative fine under Article 83.2 GDPR. Moreover, the defendant

disagrees with the Litigation Chamber’s consideration of the total worldwide annual

turnover of Interactive Advertising Bureau Inc. (IAB Inc.) for the calculation of the

administrative fine, since the latter has no ownership stake in the defendant nor any say in

the deployment of IAB Europe’s activities. The defendant clarifies that IAB Europe licences

the ‘IAB’ brand name from IAB Inc., and that the various IAB organizations across Europe

are separate and distinct organisations.

274. On 8 November, the complainants submitted a request to the Litigation Chamber, asking to

be provided with a copy of the sanction form as well as the defendant’s reaction, based on

the erroneous assumption that the defendant also received further insights into the draft

decision of the Litigation Chamber. The Litigation Chamber responds on 9 November 2021

that it will not disclose the sanction form to the complainants. The notification of the

sanction form to the defendant takes place within the framework of an objective review of

legality and with the specific aim of respecting the defendant's rights of defence, in

accordance with the case law of the Market Court. The defendant is thus informed in

advance of the nature and severity of the sanction it risks and is given the opportunity to

submit its final comments on this point to the Litigation Chamber. Notifying the sanction

form to the complainants could not possibly contribute to the same objective, since the

sanction envisaged would only be imposed on the defendant, not on the complainants, and

would therefore not directly affect the interests of the latter. Neither the rights of the

defence nor any other rule of law require that the complainants be able to put forward

additional arguments in relation to the penalty which may be imposed on the defendant.

58, 275. On 23 November 2021, the Litigation Chamber submitted its draft decision with the other

concerned European supervisory authorities (hereinafter, ‘CSAs’), as foreseen under article

60.3 GDPR.

276. On 18 December 2021 the Litigation Chamber received a letter from the complainants in

response to the Litigation Chamber’s decision not to disclose the content of the sanction

form to the complainants. More specifically, the complainants argued that they should be

informed whether the defendant has brought new elements to the proceedings. The

Litigation Chamber notes that the debates were already closed at that time, and that the

reaction of the defendant to the sanction form only pertained to elements concerning the

sanction.

277. On 20 December 2021, the Litigation Chamber is notified through the Internal Market

Information (IMI) system of a relevant and reasonable objection (RRO) submitted by the

Dutch Authority for Personal Data (Autoriteit Persoonsgegevens). The objection pertains

to the absence of reasoning by the Litigation Chamber with respect to the Dutch NGO Bits

of Freedom’s claim that the TCF makes it impossiblefor users to exercise their data subject

62
rights. The Litigation Chamber has addressed this RRO in its revised draft decision .

278. On 21 December 2021, the defendant submitted a letter to the Litigation Chamber,

requesting the suspension of the provisional enforcement of the decision, that the Belgian

Data Protection Authority does not make the decision public until all appeals have been

exhausted, and that the DPA refrains from issuing any public communication about the

decision prior to any such final decision. Once again, the Litigation Chamber notes that the

debates were already closed at that time.

279. On 21 December 2021, the Litigation Chamber is notified of a relevant and reasonable

objection introduced by the Portuguese National Commission for Data Protection (CNPD).

The objection pertains to the absence of sanction by the Litigation Chamber with respect

to the processing of TC Strings in the absence of a lawful ground under Article 6 GDPR. The

CNPD finds that the draft decision must impose upon the defendant the immediate erasure

of all personal data unlawfully collected so far. The Litigation Chamber has addressed this

RRO in its revised draft decision .

280. In addition to the two RROs, the Litigation Chamber received comments from other CSAs

regarding the joint-controllership established by the Litigation Chamber, the use of

legitimate interest for certain processing operations, the scope of the corrective measures,

62
See para. 504 to 506.
63See para. 535.

59, as well as the administrative fine envisaged and the relationship between IAB Inc. and IAB

Europe.

281. On 13 January 2022, the Litigation Chamber submitted its revised draft decision with the

other concerned European supervisory authorities (hereinafter, ‘CSAs’), as foreseen under

article 60.5 GDPR.

282. On 17 January 2022, the Litigation Chamber notified the parties of the submission of the

revised draftdecision and thedeadlineof27 January 2022 for theCSAs.It also clarified that

the written exchanges with the defendant’s councils, concerning the sanction form, did not

involve new arguments that would require reopening the debates with both parties. Hence,

and seeing as both these exchanges and the sanction form will be part of the administrative

file, the Litigation Chamber dismissed the complainants request to gain access to the

sanction form and the written exchanges that followed with the defendant.

283. On 20 January 2022, the Litigation Chamber received a letter from the claimants, in which

they claimthatthey have therightto obtainacopy of thesanction form and the subsequent

exchanges with the defendant, in order to verify themselves whether no new elements

were brought up by the latter. The claimants also argue that if the sanction form and

subsequent exchanges will be part of the administrative file, and thus accessible in case of

an appeal, there is no reason why they should not be granted access during the current

proceedings. The claimants further claim, based on a press release by the defendant dd. 5

November 2021, that the Litigation Chamber has agreed to approve a Code of Conduct
submitted by the defendant 6 months after its decision. The claimants argue this has not

been subject to the debates during the proceedings, and thus request access to all written

exchanges with the defendant following the sanction form, as well as the reopening of the

debates on the Litigation Chamber’s competence to approve a code of conduct or validate

an action plan.

284. On 27 January 2022, the Litigation Chamber acknowledged the reception of the claimant’s

letter, and responded that their arguments will be taken into consideration in its

deliberations.

Assessment by the Litigation Chamber

285. TheLitigationChamber firstand foremost finds that it is notresponsibleand cannotbeheld

accountable for public statements made outside of the proceedings by either or both of the

parties involved during the Litigation Chamber’s deliberations on the merits.

60, 286. Secondly, the Market Court has stated that the claimants do not have any say in the

determination of the sanctions imposed by the Litigation Chamber . In this regard, Article

58.2.d of the GDPR grants supervisory authorities to order a controller or a processor to

bring processing operations into compliance with the provisions of the GDPR, where

appropriate, in a specified manner and within a specified period. This provision, read in

conjunction with Article 100, §1, 9° of the Data Protection Act, must be interpreted in the

sense that an action plan and the inherently involved monitoring of this action plan by the

BE DPA, must be seen as one of the sanctions that can be imposed on a controller or

processor. The action plan must therefore be seen as a corrective measures, with regard to

which the claimants have no stake.

287. With regard to the defendant’s request not to publish the decision, the Litigation Chamber

reminds of the significant impact of the case, in view of the a large number of data subjects

and organisations involved. Moreover, the Litigation Chamber notes that the request by the

defendants was submitted after the closure of the debates, and that the defendant itself

already published on the case on 5 November 2021. Having considered these elements, the

Litigation Chamber considers not to give a positive reply to the defendant’s request dd. 21

December 2021 not to publish the decision or issue public communications about the

decision prior to the exhaustion of all appeals.

64Market Court, 1 December 2021, FOD Financiën v. GBA, nr. 2021/AR/1044, para. 7.3.4: “It is (certainly) not for a

complainant to interfere in any way with the expediency, let alone the extent of a sanction. The complaint only concerns
(and can only concern) anallegedinfringement in such a way that the decision taken by the DisputeResolution Chamber of
theGBAinrelationtothecomplaint - andinwhichitpossibly imposesasanctiononthepersonconcerned - isneveranultra
petita judgment from the point of view of the complaint.”

61,B. Reasoning

B.1. – Processing of personal data in the context of the Transparency and Consent Framework

288. In this section, the Litigation Chamber examines the concept of personal data as well as the

question of whether personal data exists within the context of the Transparency and
65 66
Consent Framework, designed and managed by IAB Europe and is being processed .

289. For a proper understanding of this decision, the Litigation Chamber emphasises that the

complainants indicated in their written submissions that they wished to limit themselves to

the alleged breaches of the GDPR in the processing of personal data "in the TCF per se" . 67

The Litigation Chamber will therefore not pass judgment in this section on processing

responsibility with regard to the processing operations that take place in the context of the

OpenRTB system.

B.1.1. – Presence of personal data within the TCF

290. European data protection law, including the GDPR, has always taken a broad view of

personal data with the aim of ensuring a high level of data protection and safeguarding the

fundamental rights and freedoms of data subjects. The broad interpretation of, inter alia,

the concept of personal data and the notion of processing is a key element of the case law
68
of the Court of Justice . The principle that personal data does not only relate to an

identified, but also to an identifiable natural person was already established in 1981 by the

Council of Europe Convention for the Protection of Individuals with regard to Automatic

69
Processing of Personal Data .

291. The GDPR unambiguously states that any information about an identified or identifiable

natural person ("data subject") constitutes personal data. "Identifiable' should therefore be

understood to mean the possibility of identifying a natural person directly or indirectly by

means of an identifier such as a name, an identification number, location data, an online

identifier or one or more factors specific to the physical, physiological, genetic, mental,

economic, cultural or social identity of that natural person . 70

292. Furthermore, the GDPR provides that, to determine whether a natural person is identifiable,

account should be taken of all means of which it can be reasonably assumed they will be

65
See title B.1.1. – Presence of personal data within the TCF.
66See title B.1.2.- Processing of personal data within the TCF.
67
Submission of the complainantsdd. 18 February 2021, p. 2.
68C. DOCKSEY, H. IJMANS, "The Court of Justice as a Key Player in Privacy and Data Protection: An Overview of Recent
Trends in Case Law at the Startof a New Era of Data ProtectionLaw", EDPL Review, 2019, p. 300.
69
Article 2.a of the Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of
Personal Data, B.S., 30 December 1993 (Convention 108).
70Article 4.1 GDPR.

62, used either by the data controller or by any other person to identify the natural person

71
directly or indirectly, such as singling out .

293. To determine whether resources can reasonably be expected to be used to identify the

natural person, account should also be taken of all objective factors, such as the cost and

time required for identification, taking into account the technology available at the time of

processing and technological developments . 72

294. Recital 30 GDPR clarifies that natural persons may be linked to online identifiers through

their devices, applications, tools and protocols, such as Internet Protocol (IP) addresses,

identification cookies or other identifiers. This may leave traces which, in particular when

combined with unique identifiers and other information received by the servers, may be

used to create profiles of the natural persons and identify them.

295. The former Article 29 Working Party has already addressed the importance of a broad

definition of personal data, in particular that a natural person can be considered identifiable

when he/she can be distinguished from other members of the group and consequently

73
treated differently .

296. This position is also taken by the Court of Justice. It is established case law that the content

of the information that qualifies as personal data is not important 74and that the criterion of

identifiability must be interpreted flexibly. As long as information, due to its content,

purpose or effect, can be linked to an identified or identifiable natural person by means

that can reasonably be used , regardless of whether the information from which the

data subject can be identified is held entirely by the same controller or partly by another

entity, this information should be considered personal data . 76

297. The complainants argue in their submission in response that the TC String is a unique

character string which is also written into a cookie as a unique identifier and is then stored

77
on a user's device . Furthermore, the complainants take the view that IAB Europe collects

71
Recital26GDPR;theEnglishtextexplicitlyrefersto"singlingout"asoneofthemeansofidentifyinganaturalperson. See
also CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer t. Bundesrepublik Deutschland, ECLI:EU:C:2016:779,
para. 46, and FR. ZUIDERVEEN B ORGESIUS, "Singling out people without knowing their names - Behavioural targeting,
pseudonymous data, and the new Data Protection regulation", Computer Law & Security Review, vol. 32-2, 2016, pp. 256-

271.
72Ibidem.
73
WP136 - Opinion 4/2007 on the concept of personal data, p. 14; WP199 - Opinion 08.2012 providing further input on the
data protection reform discussions, p. 5.
74Opinion of AdvocateGeneral Sharpston of 12 December 2013 in Joined Cases C-141/12 and C-372/12, Y.S., para. 45.
75
CJEU Judgment C-434/16 of 20December 2017,Nowakt. Data Protection Commissioner, ECLI:EU:C:2017:994, para. 35.
76CJEU Judgment C-582/14 of 19 October 2016, Patrick Breyer t. Bundesrepublik Deutschland, ECLI:EU:C:2016:779,

para. 43; CJEU Judgment C-434/16 of 20 December 2017, Nowak t. Data Protection Commissioner, ECLI:EU:C:2017:994,
para. 31: see alsoR. ZUIDERVEEN BORGESIUS, "Singling out people without knowing their names - Behavioural targeting,
pseudonymous data, and the new Data Protection regulation", Computer Law & Security Review, vol. 32-2, 2016, pp. 256-
271; and R . UIDERVEENB ORGESIUS, "The Breyer Case of the CJEU - IP Addresses and the Personal Data Definition", EDPL,

1/2017, pp. 130-137.
77Submissions of the complainants dd. 18 February 2021, para. 25.

63, additional information about users with the help of the TC String, including sensitive

personal data within the meaning of Article 9 GDPR . 78

298. Thedefendant, ontheother hand, refutes the allegations and states thattheTC String does

not contain any personal data 79 or any information directly or indirectly related to the so-

called 'contenttaxonomy' ,whichIAB Europeuses asa'commonlanguage'to describethe

81
content of a website . Furthermore, the defendant takes the view that the TC String does
82
not constitute a unique identifier, nor is it conceived for that purpose .

299. Notwithstanding the foregoing, the defendant states that it must necessarily be possible to

link the TC String with a user, but with the proviso that the link between the preferences

conceived in the TC String and the user will be established only at a later stage, in particular

inthecontextoftheOpenRTB,andisthereforenotcoveredbytheTransparency&Consent
83
Framework .

300. BasedonthetechnicaldocumentationofIABEuropeandIABTechLab ontheTCFprotocol,

the Inspection Service concludes that the TC String in itself does not directly identify users

or devices, as the components that compose the TC String merely reflect technical

information, namely whether or not an unidentified user has consented to purposes Y or Z,

and whether adtech vendors A and B may process the personal data for the accepted

purposes.

301. Specifically, a TC String consists of the following fields:

i. general metadata;

ii. a binary value for each of the purposes of the processing for which consent may be

given;

iii. a binary value for each of the purposes of processing permitted by a legitimate
interest;

iv. a binary value for each of the adtech vendors who may collect and process the

user's personal data on the basis of his consent;

v. a binary value for each of the adtech vendors who may collect and process the

user's personal data on the basis of a legitimate interest;

vi. any processing restrictions;

vii. special opt-in features in connection with the processing purposes;

78Submissions of the complainants dd. 18 February 2021, para. 26.
79
Defendant's reply brief dd. 25 March 2021, para. 48.
80Defendant's reply brief dd. 25 March 2021, para. 51.
81
https://iabtechlab.com/standards/content-taxonomy/
82Defendant's reply brief dd. 25 March 2021, para. 53.
83
Defendant's reply brief dd. 25 March 2021, para. 54.

64, viii. a field dedicated to processing purposes that do not fall under the TCF but are

specific to the publisher;

ix. consent to the processing on legal bases that are not covered by the TCF.

Assessment by the Litigation Chamber

302. While the Litigation Chamber understands that it is not conclusively established that the

TC String, due to the limited metadata and values it contains, in itself allows for direct

identification of the user, the Litigation Chamber notes that when the consent pop-up is

accessed by script from a server managed by the CMP , it inevitably also processes the

user's IP address, which is explicitly classified as personal data under the GDPR.

303. Indeed, Recital 30 GDPR states that natural persons may be linked to online identifiers

through their devices, applications, tools and protocols, such as Internet Protocol (IP)

addresses, identification cookies or other identifiers such as radio frequency identification

tags. This may leave traces which, in particular when combined with unique identifiers and

other information received by the servers, may be used to create profiles of the natural

persons and identify them.

304. As soon as a CMP stores or reads the TC String on a user's device using a euconsent-v2

cookie, the consent or objection to the processing on the grounds of legitimate interest, as

well as the preferences of this user, can be linked to the IP address of the user's device. In

other words, CMPs have the technical means to collect IP addresses (as indicated in their
85
pop-up ) and to combine all information relating to an identifiable person. The possibility of

combining the TC String and the IP address means that this is information about an

identifiable user .86

305. In addition, identification of the user is possible by linking to other data that can be used by

participating organisations within TCF, but also in the context of OpenRTB. In that regard,

the Litigation Chamber emphasises that the parties in question are not one and the same,

but participating organisations — CMPs and adtech vendors — who, as examined in more

detail below 87 are obliged to disclose information enabling them to identify users to the

defendant, upon simple request.

84Technical Analysis Report of the Inspection Service, 6 January 2020 (Exhibit 53), p. 58.
85
See examples in the Technical Analysis Report of the Inspection Service, 6 January 2020 (Exhibit 53), pp. 99 ff.
86C. SANTOS , M. OUWENS , M. OTH, N. IELOVA, V. OCA, "Consent Management Platforms Under the GDPR: Processors
and/or Controllers?", in Privacy Technologies and Policy, APF 2021, LNCS, vol 12703, Springer, 2021, pp. 50-51. The
Litigation Chamber notes in this regard that, until this summer, if a ‘globally stored’ TC String was chosen, the CMPs could

accesstheIABEurope-managedconsensu.orginternetdomaintoverifywhetheragloballyscopedconsenthadbeengiven
by the user, which involved the disclosure of the TC String values coupled with users’ IP addresses to the CMPs, by IAB
Europe.Thedefendantannouncedduringthehearingthattheglobally scopedconsentsfunctionality wouldbedeprecated.
87
See para. 358 et seq. of this decision.

65, 306. Therefore, the Litigation Chamber finds that the defendant has reasonable means at its

disposal that it can use with respect to registered organisations participating in the TCF,

and with which the defendant is able to identify directly or indirectly the user behind a

TC String.

307. The Litigation Chamber also understands that the TCF is intended to and therefore

inherently involves storing each user's combination of preferences in the form of a unique

string in the TC String, in order to communicate those preferences to a large number of

adtech vendors.

308. Indeed, the Litigation Chamber found from the inspection reports that adtech vendors as

well as other participants within the wider OpenRTB ecosystem read the signal stored in a

TC String in order to determine whether they have the required legal basis to process a

user's personal data for the purposes to which the user has consented . 88

309. In this regard, the Litigation Chamber emphasises that it is sufficient that certain

informationisusedtosingleoutanaturalpersontobeabletospeakofpersonal data .Also, 89

the purpose of the TC String, namely to capture the preferences of a specific user, leads de

facto to the TC String being regarded as personal data.

310. In other words, if the purpose of the processing is the singling out of persons, it may be

assumed that the controller or another party has or will have at their disposal the means

by which the data subject may reasonably be expected to be identified. To claim that

individuals are not identifiable, when the purpose of the processing is precisely to
90
identify them, would be a contradiction in terminis .

311. Furthermore, the Litigation Chamber is of the opinion that the processing of these

preferences has unmistakable consequences for the rights and interests of the data

subjects,sincethesechoicesdetermine, amongotherthings,whichthirdpartieswillreceive

91
and process the personal data of the users in the context of the OpenRTB protocol .

312. In view of the foregoing findings as well as the broad interpretation of the concept of
92
personal data, as confirmed in the case law of the Court of Justice , the Litigation Chamber

concludes that the preferences of users in a TC String do constitute personal data, as these

preferences relate to a singled out, identifiable natural person . 93

88Technical Analysis Report of the Inspection Service, 6 January 2020 (Exhibit 53), p. 75.
89
WP136 - Opinion 4/2007 on the concept of personal data, p. 14.
90WP136 - Opinion 4/2007 on the concept of personal data, p. 16.
91
CJEU, judgment C-434/16 of 20 December 2017, Nowak t. Data Protection Commissioner, para. 39.
92See para. 296 of this decision.
93
CJEU, judgment C-434/16 of 20 December 2017, Nowak t. Data Protection Commissioner, para. 34.

66, B.1.2. - Processing of personal data within the TCF

313. The Inspection Service explains in its technical investigation reports that the TCF is

necessarily based on three core components:

i. a fully customisable user interface that allows TCF-registered Consent

Management Platforms to collect the user's consent, any objections to processing

based on a legitimate interest, and preferences regarding the purposes of

processing and authorised adtech vendors;

ii. a Global Vendors List that includes partners approved by IAB Europe and specific

information regarding their respective processing purposes and legal bases; and

iii. a standardised mechanism for requesting, storing and optionally sharing

authorised adtech vendors, consents, objections and preferences through a

dedicated API, astandard formatfor storing partners/consents, and astandardised
94
data structure for transferring partner/consent status .

314. Thecomplainants arguethatthegenerationoftheTC String corresponds to theautomated

creation of a unique string of characters associated with a specific user, through which his

data exchange preferences are captured by the intervention of a CMP connected to the

TCF .5

315. Furthermore, the complainants refer to the sharing of the TC String with CMPs and other

participants in the TCF. Specifically, they argue that the storage of a TC String in a specific

euconsent-v2 cookie, on a storage system chosen by the CMP or associated with the

consensu.org internet domain managed by IAB Europe, also constitutes processing of user

preferences.

316. Thedefendant, ontheother hand, argues thatthereis no processing ofpersonal datawithin

themeaningofSection4(2)GDPRinthecontextoftheTCF,givenitsviewthattheTCString

as such cannot be regarded as personal data.

Assessment by the Litigation Chamber

317. First and foremost, the Litigation Chamber refers to the definition of processing personal

data as being any operation or set of operations which is performed upon personal data or

sets of personal data, whether or not by automatic means, such as collection, recording,

organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,

94
Consent Management Platform API v2.0, August 2019 (Exhibit 34), p. 4; Technical Analysis Report of the Inspection
Service, 6 January 2020 (Exhibit 53), pp. 58-59.
95Submissions of the complainants dd. 18 February 2021, para. 27.

67, disclosure by transmission, dissemination or otherwise making available, alignment or
96
combination, blocking, erasure or destruction .

318. TheTCF provides astandardised approachfor collecting and exchanging personal data - i.e.

consent, any objections, and preferences - from well-defined, already identified or at least

identifiable users in a supposedly GDPR-compliant manner. The fact that participating

organisations can directly identify data subjects with additional data such as an IP address

from the TC String, which captures these consents, objections and preferences, means not

only that the TC String can be considered personal data , but also that the participating

organisations (adtech vendors) necessarily process personal data.

319. Taking into account the connection between the TCF and the OpenRTB protocol, the

LitigationChamberreferstotheguidelinesoftheformerArticle29WorkingPartyonOnline

Advertising, in which the Working Party noted that the methods of advertising based on

surfing behaviour inherently involve the processing of personal data, as such advertising

entails the collection of IP addresses and the processing of unique identifiers, so that data

subjects can be followed online even if their real names are not known . 98

320. The Litigation Chamber understands that the Transparency and Consent Framework

inherently entails the collection, processing, storage and subsequent sharing of users'

preferences with other parties, whether or not in combination with additional personal data

in the context of the OpenRTB.

321. Consequently, the Litigation Chamber finds that there is in fact processing of personal data

within the meaning of Article 4.2 of the GDPR. This conclusion is also confirmed by

considerationof the possibility that theTC Strings may at any time belinked to immediately

identifiable information, whether provided by the data subject or not.

B.2. - Responsibility of IAB Europe for the processing operations within the Transparency and

Consent Framework

322. IAB Europe states that it is neither data controller nor jointly responsible for the processing

of personal data collected by the participating organisations in the context of the TCF.

323. However, the Litigation Chamber finds that this reasoning cannot be followed for several

reasons. First of all, the broad interpretation by the Court of Justice of the concept of a data

controller (B.2.1. - Broad interpretation of the concept of data controller by the Court of

96Art. 4.2) GDPR.
97See previous section, B.1.1. – Presence of personal data within the TCF.
98
WP171 - Opinion 2/2010 on online behavioural advertising, 22 June 2010, p. 10, https://ec.europa.eu/justice/article-
29/documentation/opinion-recommendation/files/2010/wp171_nl.pdf

68, Justice and the EDPB) must be applied. The fact that IAB Europe has a decisive influence on

thepurpose(B.2.2.- Determining thepurposes oftheprocessing ofpersonal datawithinthe

TCF) and means (B.2.3. - Determining the means for processing personal data within a TCF)

of the processing by imposing compulsory TCF parameters also needs to be taken into

account.

B.2.1. - Broad interpretation of the concept of data controller by the Court of Justice and the

EDPB

324. The GDPR defines a "data controller" as the entity that, alone or jointly with others,

determines the purposes and means of the processing of personal data . This definition

should be understood in the light of the legislator's objective of placing the main

responsibility for the protection of personal data on the entity that actually exercises

control over the data processing. This means that not only the legal qualification, but also

100
the actual reality must be taken into account.

325. TheEDPB has clarified thatthe concept ofdata controller refers to theinfluenceofthedata

controller on the processing, based on a power of decision or monitoring of the processing

activities. Such monitoring may be based on legal provisions, on an implicit power or on the

101
exercise of a de facto influence . In essence, determining the purposes and the means

corresponds to deciding respectively the "why" and the "how" of the processing: given a

particular processing operation, the controller is the actor who exerts such influence over

the processing of personal data, thus determining why the processing is taking place (i.e.,

“to what end”; or “what for”) and how this objective shall be attained (i.e. which means shall

be employed to pursue the objective) 10.

326. Thepower todeterminethemeansandpurposesofprocessingactivitiesmay firstbelinked

to the functional role of an organisation 10. The responsibility may also be assigned on the

basis of the contractual provisions between the parties involved, although these are not
104
always decisive , or on the basis of an assessment of the actual control of a party. For

example, determining the means and purposes may result from a decisive influence on the

processing, in particular on why processing is carried out in a certain manner 10.

99
Art. 4.7) GDPR
100L.A.BYGRAVE &L.T OSONI,“Article4(7).Controller"inTheEUGeneralDataProtectionRegulation.ACommentary,Oxford

University Press, 2020, p. 148.
10EDPB - Guidelines 07/2020 on the concepts of data controller and processor in the GDPR, v2.0, 2021, para. 20 et seq.
102
Ibidem, para. 35.
103D.DeBot,DetoepassingvandeAlgemeneVerordeningGegevensbeschermingindeBelgischecontext,WoltersKluwer,
2020, para. 362.
104
D.DeBot,DetoepassingvandeAlgemeneVerordeningGegevensbeschermingindeBelgischecontext,WoltersKluwer,
2020, para. 363-365.
105EDPB - Guidelines 7/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para. 20.

69, 106
327. In its Jehovah's Witnesses judgment , the Court of Justice gives a broad interpretation to

the concept of a data controller. This judgment is relevant and applicable to the present

case, as it clarifies that the definition of data controller must be interpreted broadly, in order

to ensure 'effective and complete protection of the data subjects' 107, and that no access to

the personal data concerned is required in order to qualify as a data controller 10. The

Litigation Chamber quotes the relevant recitals of the aforementioned judgment below:

“65. AsArticle 2(d)ofDirective 95/46 expressly provides, the term 'datacontroller' refersto

the natural or legal person who, 'alone or jointly with others', determines the purposes and

means of the processing of personal data. This concept does not therefore necessarily refer

to a single natural or legal person and may involve several participants in such processing,

each of whom is then subject to data protection provisions (see, to that effect, Judgment of

5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C-210/16, EU:C:2018:388, point 29).

66.Although the aimofthat provision isto ensureeffective and completeprotection ofdata

subjects through a broad definition of the term 'data controller', the existence of joint

responsibility does not necessarily mean that the various participants in the processing of

personal data are equally responsible. On the contrary, these participants may be involved in

this processing at different stages and to different degrees, so that the assessment of the

level of responsibility of each of them must take into account all the relevant circumstances

of the particular case (see, to that effect, judgment of 5 June 2018, Wirtschaftsakademie

Schleswig-Holstein, C- -210/16, EU:C:2018:388, points 28, 43 and 44).

67. In that regard, neither the wording of Article 2(d) of Directive 95/46, nor any other

provision of that directive, permits the conclusion that the purposes and means of the

processingmust be determined by meansofwritten guidelinesor instructionsfrom thedata

controller.

68. However, a natural or legal person who exercises influence over the processing of

personal data for reasons of their own and thereby takes part in determining the purposes

and means of processing may be regarded as a data controller within the meaning of Article

2(d) of Directive 95/46.

69. Moreover, the fact that several participants are responsible for the same processing

under that provision doesnot presuppose that each ofthem hasaccessto the personal data

concerned (see, to that effect, Judgment of 5 June 2018, Wirtschaftsakademie Schleswig-

Holstein, C- -210/16, EU:C:2018:388, point 38)."

106CJEU Judgment of 10 July 2018, Tietosuojavaltuutettu et Jehovan todistajat - uskonnollinen yhdyskunta, C-25/17,
ECLI:EU:C:2018:551.
107
CJEU Judgment of 13 May 2014, Google Spain SL v. Agencia Española de protección de Datos (AEPD) and Others, C-
131/12, ECLI: EU:C:2014:317, paragraph 34; see also the discussion on the scope of the concept in C. DOCKSEY and H.
HIJMANS, "The Court of Justice as a Key Player in Privacy and Data Protection", European Data Protection Law Review,
2019, issue 3, (300)304.
108
CJEU Judgment of 10 July 2018, Tietosuojavaltuutettu et Jehovan todistajat - uskonnollinen yhdyskunta, C-25/17,
ECLI:EU:C:2018:551. See also EDPB - Guidelines 07/2020 on the concepts of data controller and processor in the GDPR,
v2.0, 2021, para. 45.

70, 328. It is therefore clear to the Litigation Chamber that the defendant does not necessarily have

to process the personal data concerned itself, nor does it have to be able to grant itself any

access to the personal data, in order for IAB Europe to be considered a data controller, as 109

in relation to a framework for which the defendant moreover charges an annual fee of

110
1.200 EUR to participating organisations .

329. Furthermore, the impact or consequences of certain activities on the rights and freedoms

of data subjects may also be taken into account when determining an organisation's

responsibility. If it appears that an organisation plays a decisive role in the dissemination of

111
personal data or that the processing operations carried out under the influence of the

organisation may substantially affect the fundamental rights to privacy and to the

protection of personal data 112, that organisation should be regarded as a data controller.

330. In this case, the Litigation Chamber concludes that the participating parties, i.e. publishers

and adtech vendors, would not be able to achieve the goals set by IAB Europe without the

TCF. IAB Europe's framework thus plays a decisive role with regard to the collection,

processing and disseminationof users' preferences, consents and objections, regardless of

whether the defendant itself comes into contact with the aforementioned data.

B.2.2. - Determining the purposes of the processing of personal data within the TCF

331. Defining the purposes is the first condition for identifying the data controller of personal
113
data . Moreover, it is generally considered that defining the purposes of processing

outweighs defining the means when it comes to establishing the responsibility of an

114
organisation . Incidentally, an erroneous designation by a data controller, such as a

designation as a processor that is contradicted by the factual situation, is not binding on the

court or supervisory authority 115.

109
CJEU Judgment of 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v
Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16, ECLI: EU:C:2017:796, para. 35; CJEU Judgment of 10 July 2018,
Tietosuojavaltuutettu et Jehovan todistajat - uskonnollinen yhdyskunta, C-25/17, ECLI:EU:C:2018:551, para. 69.
110
https://iabeurope.eu/join-the-tcf/
11CJEU Judgment of 13 May 2014, Google Spain SL v. Agencia Española de protección de Datos (AEPD) and Others, C-
131/12; ECLI: EU:C:2014:317, paragraph 36.
112
CJEU Judgment of 13 May 2014, Google Spain SL v. Agencia Española de protección de Datos (AEPD) and Others, C-
131/12; ECLI: EU:C:2014:317, para. 38.
113
Art. 4.7) GDPR; A. ELFORGE Titre 8. Les obligations générales duresponsable du traitement et la place du sous-traitant"
in Le Règlement général sur la protection des données (RGPD/GDPR). Analyse approfondie, Larcier, Bruxelles, 2018, para.
9-12.
114
EDPB- Guidelines7/2020ontheconceptsof controllerandprocessorintheGDPR,v2.0,2021,para.20;L.A. B YGRAVE &
L. OSONI , “Article 4(7). Controller" in The EU General Data Protection Regulation. A Commentary, Oxford University Press,
2020, p. 150; B. AN A LSENOY , Data Protection Law in the EU: Roles, Responsibilities and Liability, Intersentia, 2019, para
109-110; A. DELFORGE Titre 8. Les obligations générales du responsable du traitement et la place du sous-traitant" in Le
Règlement général sur la protection des données (RGPD/GDPR). Analyse approfondie, Larcier, Bruxelles, 2018, para. 12.

115C. de ERWANGNE , "Titre 2. Définitions clés et champ d'application du RGPD" in Le Règlement général sur la protection
des données (RGPD/GDPR). Analyse approfondie, Larcier, Bruxelles, 2018, para. 9-12.

71, 332. The Inspection Service states that the Transparency and Consent Framework does not in

itself constitute processing of personal data, but is a set of policy documents and technical
116
specifications developed by IAB Europe and IAB Tech Lab . The Litigation Chamber

concurs with this statement by the Inspection Service.

333. However,theLitigationChamberalsofoundthatpersonaldataareprocessedinthecontext

of the TCF, and more specifically the processing of user preferences, which CMPs record

via a user interface and store using the TC String. To enable a standardised approach within

the TCF, IAB Europe uses both policy documents and technical specifications:

▪ The TCF Policies consist of rules for participation that apply to publishers, Consent

Management Providers (CMPs) and other adtech vendors.

▪ The technical specifications of the TCF, which provide a technical protocol with

which participating organisations can immediately exchange the status of the

information provided and the choices of the data subjects. These technical

specifications are closely aligned with the TCF Policies, in order to provide the

technical functionality needed to operationalise the TCF standard.

334. Thedefendantstatesinitsdefencethattheprocessingofthosepreferences,inaccordance

with the rules imposed by the TCF on participating organisations, pursues the objective of

enabling both website and app publishers and the advertising technology partners who

support the targeting, delivery and measurement of advertising and content (adtech

vendors) to obtain users’ consent, to transparently disclose their processing purposes, and

to establish a valid legal basis for the processing of personal data in order to provide digital
117
advertising,amongothers .Thisobjectiveis alsoreflectedinthe IABEuropeTransparency

& Consent Framework Policies (hereinafter "TCF Policies") 11:

“ii. The goal of the Framework is to help players in the online ecosystem meet certain

requirements of the ePrivacy Directive (and by extension its successor, the upcoming

ePrivacy Regulation), and General Data Protection Regulation by providing a way of

informing users about inter alia the storing and/or accessing of information on their devices,

the fact that their personal data is processed, the purposes for which their personal data is

processed, the companies that are seeking to process their personal data for these

purposes,providinguserswithchoiceaboutthesame,andsignallingtothirdpartiesinteralia

which information has been disclosed to users and what users’ choices are.”

11Technical Analysis Report of the Inspection Service, 6 January 2020 (Exhibit 53), p. 9.
11Defendant's reply brief, § 33.
118
IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32); IAB Europe Transparency &
Consent Framework Policies v2019-04-02.2c (Exhibit 38).

72, 335. It is also apparent from the documentation drawn up by the defendant that the purposes of

the TC String are determined by IAB Europe:

“A TC String's primary purpose isto encapsulate and encode all the information disclosed to

a user and the expression of their preferences for their personal data processing under the

GDPR. Using a Consent Management Platform (CMP), the information is captured into an

encoded and compact HTTP-transferable string. This string enables communication of

transparency and consent information to entities, or "vendors", that process a user's

personal data. Vendors decode a TC String to determine whether they have the necessary

legal bases to process a user's personal data for their purposes."119

336. Although the Litigation Chamber emphasises that the purpose of the processing of the TC

String must be distinguished from the purposes of the processing that takes place outside

the TCF, such as the processing and exchange of the personal data that are part of a bid

request in the context of OpenRTB, it finds that the TCF is offered with the aim of indirectly

promoting the use of OpenRTB. In that respect, IAB Europe, in its capacity as Managing

Organisation, acts as a hinge between TCF and OpenRTB, which, incidentally, was

developed by IAB Tech Lab.

337. In support of its standpoint, the Litigation Chamber refers to the inventory of possible

purposes that participating organisations may pursue within the context of the TCF. For

example, the TCF Policies for CMPs, publishers and other adtech vendors respectively

stipulate a mandatory list 120with fixed and predefined Purposes 12, Special purposes 122,

Features 123and Special features defined by IAB Europe:

▪ Purpose 1 — Store and/or access information on a device

▪ Purpose 2 — Select basic ads

▪ Purpose 3 — Create a personalised ads profile

▪ Purpose 4 — Select personalised ads

▪ Purpose 5 — Create a personalised content profile

▪ Purpose 6 — Select personalised content

▪ Purpose 7 — Measure ad performance

11Transparency and Consent String with Global Vendor & CMP ListFormats v2.0, August 2019 (Exhibit 35), p. 8.
120IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), pp. 26 ff.
121
The term “Purpose” refers to one of the defined purposes for processing of data, including users’ personal data, by
participants in the Framework that are defined in the TCF Policies or the Specifications.
122“Special Purpose” means one of the defined purposes for processing of data, including users’ personal data, by

participants in the Framework that are defined in the TCF Policies or the Specifications for which Vendors declare a Legal
Basis in the GVL and for which the user is not given choice by a CMP.
123“Feature”meansoneofthefeaturesofprocessingpersonaldatausedbyparticipantsintheFrameworkthataredefined
in the TCF Policies or the Specifications used in pursuit of one or several Purposes for which the user is not given choice

separately to the choice afforded regarding the Purposes for which they are used.

73, ▪ Purpose 8 — Measure content performance

▪ Purpose 9 — Apply market research to generate audience insights

▪ Purpose 10 — Develop and improve products

▪ Special Purpose 1 — Ensure security, prevent fraud, and debug

▪ Special Purpose 2 — Technically deliver ads or content

▪ Feature 1 — Match and combine offline data sources

▪ Feature 2 — Link different devices

▪ Feature 3 — Receive and use automatically-sent device characteristics for

identification

▪ Special Feature 1 — Use precise geolocation data

▪ Special Feature 2 — Actively scan device characteristics for identification

338. The Litigation Chamber concludes from this that the purpose of the TC String, and in the

broader sense of the processing of the TC String within the TCF as translated into the TCF

Policies, has been established by IAB Europe.

B.2.3. - Determining the means for processing personal data within a TCF

339. Determining the means of processing is the second cornerstone of the concept of

controllership. With regard to the means of processing, the EDPB makes a distinction

between so-called “essential” and “non-essential” means. The choice of non-essential

means may, in principle, be left to a processor without any reduction in the responsibility of
124
the entity that determined the purposes .

340. "Essential means" are closely linked to the purpose and scope of the processing and are

inherently reserved to the controller. Examples of essential means relate to the type of

personal data processed ("whatdata are processed?"), thedurationoftheprocessing ("how

long are they processed?"), the categories of recipients ("who has access to them?") and

the categories of data subjects ("whose personal data are processed?"). "Non-essential

means", on the other hand, mainly concern the practical aspects of the implementation,

such as the choice of a particular type of hardware or software or the detailed security
125
measures that can be left to the processor to decide .

126
341. It is established by the Litigation Chamber, and also confirmed by the defendant , that the

Transparency and Consent Framework constitutes a framework of binding rules for the

participating organisations with regard to the processing of user preferences. Participants

124EDPB - Guidelines 7/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para. 39-41.
125EDPB - Guidelines 07/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para. 40.

126Defendant's reply brief dd. 25 March 2021, para. 35.

74, in the TCF are assumed to accept the Terms and Conditions for the IAB Europe

Transparency & Consent Framework (hereinafter "Terms and Conditions") 127 in order to

register. By doing so, the Litigation Chamber finds that IAB Europe does not only monitor

compliance with the TCF specifications and policies, as Managing Organisation. In addition,

the defendant is also defining the rules applicable to the processing of TC Strings under the

TCF, as well as imposing these rules on participating organisations.

342. In the following paragraphs, the Litigation Chamber will examine the extent to which

essential means of processing the TC String are actually determined by IAB Europe.

343. Generation, modification and reading of the TC String – In the first place, the TCF Technical

Specifications 12, the IAB Europe Transparency and Consent Framework Implementation

129 130
Guidelines (hereinafter "TCF Implementation Guidelines") and the TCF Policies explain

how CMPs can collect user approval, must generate a unique TC String, and need to store

the value of the TC String.

344. Moreover, CMPs are obliged to register with IAB Europe in order to be able to generate a

TC String 131and must follow the technical specifications developed by IAB Europe in

132
cooperation with IAB Tech Lab regarding the API with which CMPs can generate the TC

String and adtech vendors and publishers can read it 133. These specifications also show that

the CMP API plays an essential role in the TCF, as it provides a standardised way for parties,

such as the publisher or an advertising vendor, to access the users' preferences, which are
134
managed by the CMP .The Litigation Chamber notes thatthe use of this APIis mandatory

when communicating between CMPs and adtech vendors.

345. With regard to the content of the TC String, the TCF Technical Specifications specify which

information is included, including metadata such as the exact time the TC String was

generated or modified.

346. Inthisregard,theLitigationChamberrefersto the Wirtschaftsakademie judgment,inwhich

the Court of Justice held that the entity responsible for laying down, and a fortiori imposing,

settings in relation to a data processing operation, thereby participates in determining the

12Terms and Conditions for the IAB Europe Transparency & Consent Framework ("Terms and Conditions") (Exhibit 33).
128
Transparency and Consent String with Global Vendor & CMP ListFormats v2.0, August 2019 (Piece 35).
129IAB Europe Transparency and Consent Framework Implementation Guidelines, August 2019 (Exhibit 36).
130
IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32); IAB Europe Transparency &
Consent Framework Policies v2019-04-02.2c (Exhibit 38).
13Technical Analysis Report of the Inspection Service, 6 January 2020 (Exhibit 53), p. 76.
132
An API is a programming interface that allows you to "plug in" to an application to exchange data. An API is open and
offered by the program owner. APIs are used in various fields of digital marketing to enable, for example, automated
gatewaysfordataexchangebetweenprogramssuchasAdwords,AdExchangeandanagencyorvendor.Itcanalsobeused
by adtechvendors, agencies or software suppliers to automateadvertising campaigns.

133Consent Management Platform API v2.0, August 2019 (Exhibit 34), p. 4.
134Consent Management Platform API v2.0, August 2019 (Exhibit 34), p. 6.

75, purposes and means of that processing and must therefore be regarded as the data

controller 135.

347. Storage location - In their written evidence, the complainants argue that IAB Europe is

responsible for managing the internet domain "consensu.org", to which the so-called

globally scoped consent cookies 136refer and which as such allows CMPs to consult and

modify the TC Strings shared across multiple websites or applications.

348. In contrast, IAB Europe states in its submissions that although it has registered the

consensu.org domain, there is no storage of the TC String on IAB Europe's servers to which

that consensu.org domain refers. Indeed, IAB Europe delegates a subdomain of

consensu.org to each registered CMP 13, which stores the TC String on the user's device

using a euconsent-v2 cookie and associates it with the consensu.org domain. According to

the defendant, it is therefore only the CMP that generates and stores the TC String and the

CMP's own servers that read out the TC String.

349. In order to establish the responsibility of IAB Europe for the processing of the TC Strings, it

is necessary to determine to what extent the delegation of a sub-domain to a CMP by IAB

Europeimpliesthatthedefendantestablishes atleastthemeans(and anypurposes)ofsuch

processing.

350. The TCF Technical Specifications prescribe that sharing the TC String with CMPs should

take place in two ways: either by storing the TC String in a storage system chosen by the

CMP, if it is a service-specific consent 138; or by storing the TC String in a shared globally

scoped consent cookie associated with the IAB Europe's consensu.org internet domain 13.

351. Based on the technical reports and the statements of the parties at the hearing, the

Litigation Chamber concludes that a service-specific consent by means of a first-party

euconsent-v2 cookiehas beenestablished, and is thereforestored exclusivelyontheuser's

device.Inthisfirstscenario,the euconsent-v2cookieinquestionwillthereforenotbelinked

to the consensu.org domain, nor to the subdomain delegated to the CMP by IAB Europe.

352. However, in exceptional cases where the user's consent also applies to other websites, so-

called globally scoped consent cookies, CMPs are required to store the relevant TC String

135
CJEU Judgment of 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v
Wirtschaftsakademie Schleswig-Holstein GmbH, C-210/16, ECLI: EU:C:2017:796, paragraph 39: "In these circumstances, it
must be judged that the administrator of a fan page on Facebook, such as Wirtschaftsakademie, by defining settings
accordingto,inparticular,itstargetaudienceandobjectivesforthemanagementorpromotionofitsactivities,participates
in determining the purposes andmeans of the processing of personal data of visitors to its fan page".

136Which contain the TC Strings.
137More specifically, it concerns the subdomain <name of the CMP>.mgr.consensu.org. For example, for Onetrust this is

https://cookies.onetrust.mgr.consensu.org/.
138In concrete terms, this means that the user's consent is only validfor the website visited, and for the purposes accepted
and the adtechvendors approved.
139
Transparency and Consent String with Global Vendor & CMP ListFormats v2.0, August 2019 (Piece 35).

76, ontheuser's deviceby means ofa third-party cookie, whereby thecookieis associated with

140
the consensu.org domain . Only the CMPs are able to read the TC Strings on the user

devices.

353. In this second scenario, each CMP is then given a separate sub-domain, assigned by IAB

Europe via DNS delegation, where the consent cookie with the TC String is associated with

the main domain consensu.org and its sub-domains. In concrete terms, this means that the

scope of the globally scoped consent cookie includes both the domain consensu.org and

the subdomains delegated to the CMPs.

354. According to the defendant, the globally scoped consent was only applied to a limited

extent and IAB Europe stopped using and supporting it after the hearing. The Litigation

Chamber takes note of this, but emphasises that this functionality also indicates that IAB

Europe’s responsibility goes beyond merely designing a framework.

355. The Litigation Chamber also considers that the defendant establishes the means of

processing the TC String as well as the euconsent-v2 cookie, both for the service-specific

and for the globally-scoped consents. The fact that the TCF does not impose a specific

mechanism for storing users' consent in the browser but merely recommends that CMPs

use a first-party cookie does not preclude the finding that the defendant provides a list of

possible mechanisms for linking the TC String to an individual user, of which the CMP API is

the most common. More specifically, the Litigation Chamber notes that, in its policy

document entitled 'Consent Management Platform API', the defendant prescribes, among

other things, the standardised way in which the various parties involved in the TCF can

consult the preferences, objections and consents of users 14:

140Technical Analysis Report of the Inspection Service, 6 January 2020 (Exhibit 53), p. 79.

14Consent Management Platform API v2.0, August 2019 (Exhibit 34), p. 6.

77, 356. Categories of recipients of the TC String - The Litigation Chamber also rules that IAB

Europe determines with whom the users' preferences are to be shared, by, among other

things, providing a list of TCF-registered adtech vendors, the so-called Global Vendors List

(GVL) 142, as well as a list of permitted CMPs (Global CMP List) 143.

357. IAB Europe's documentation shows that publishers who wish to use the TCF are obliged to

work with a TCF-registered CMP 144. In addition, the TCF Implementation Guidelines state

that CMPs are obliged to collect consent and any objections for all purposes and partners

chosen by the publisher, although this may be extended to all adtech vendors included in

the GVL 145.

358. Retention period of the TC String - Finally, the two versions of the TCF Policies explicitly

state that CMPs and participating adtech vendors must retain the record of the consent or

objection, whichis stored intheTC String, for as long as theprocessing is ongoing and make

it available to the Managing Organisation, i.e. the defendant, upon the latter’s simple
146
request :

“8. Record Keeping

1. A CMP will maintain records of consent, as required under the Policies and/or the

Specifications, and will provide the MO access to such records upon request without undue

delay.

2. A CMP will retain a record of the UI that has been deployed on any given Publisher at any

giventimeandmakethisrecordavailabletoitsPublisherclient,Vendors,and/ortheMOupon

request.

[…]

15. Record Keeping

1. A Vendor must maintain records of consent, as required under the Policies and the

Specifications, and will provide the MO access to such records upon request without undue

delay.

2. A Vendor must maintain records of user identification, timestamps, and received Signals

for the full duration of the relevant processing. A Vendor may maintain such records of user

identification, timestamps, and Signals beyond the duration of the processing as required to

comply with legalobligationsor to reasonably defendor pursue legal claims, and/or for other

processing allowed by law, under a valid legal basis, and consistent with the purposes for

which the data was collected.”

142
https://iabeurope.eu/vendor-list/ and https://iabeurope.eu/vendor-list-tcf-v2-0/
143https://iabeurope.eu/cmp-list/
144
IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), p. 21
145IAB Europe Transparency and Consent Framework Implementation Guidelines, August 2019 (Exhibit 36), p. 13.
146IAB Europe Transparency & Consent Framework Policies v2019-04-02.2c (Exhibit 38), Articles 8 and 15; IAB Europe

Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), Articles 8 and 15.

78, 359. TheLitigationChamberthereforefindsthatIABEuropebearstheresponsibilityfordefining

the criteria by which the retention periods of the TC Strings can be determined.

360. It follows from the foregoing that, in addition to the purposes, IAB Europe does in fact

determine the means of generating, storing and sharing the TC String by which the

preferences, objections and consent of users are processed. The following elements are

decisive according to the Litigation Chamber:

i. IAB Europe defines how CMPs can collect consent or objections from users,

generate a unique TC String, and store the value of the TC String;

147
ii. IAB Europe, in collaboration with IAB Tech Lab , has developed the technical

specifications of the API with which adtech vendors, among others, can access the

preferences of the users, which are managed by the CMP, in a standardised way;

iii. IAB Europe determines the storage location and method for both service-specific

and globally scoped consent cookies;

iv. IAB Europe manages the lists of registered CMPs and adtech vendors and

therefore determines with which possible recipients the data relating to the TC

String is communicated;

v. IAB Europe determines the criteria by which the retention periods for TC Strings

may be established and the way in which organisations participating in the TCF

must make these TC Strings available to the Managing Organisation, i.e. the

defendant.

361. Basedontheforegoingexplanations,theLitigationChamberfindsthatthedefendantmust

be considered as data controller for the personal data processing with respect to the

registration of the consent signal, objections and users' preferences by means of the TC

String, in accordance with the policies and technical specifications of the Transparency

& Consent Framework.

B.3. - Joint controllership of publishers, CMPs and adtech vendors with regard to the means and

purposes of the processing of personal data within the context of the TCF and of the OpenRTB

362. IAB Europe's responsibility does not exclude that there are other data controllers

implementing the TCF and relying on the OpenRTB protocol, that have their own or shared

responsibility for the personal data processing operations they perform.

14IABEuropeworkedwithIABTechLabtodeterminethepoliciesfortheframework'srules.IABEuropehasalsoentrusted
Tech Lab with the development as well as the hosting of the technical implementations and specifications of the TCF, due
to their technological expertise.

79, B.3.1. - Joint processing responsibility

363. Article 26.1 of the GDPR states that joint responsibility exists when "two or more jointly

determine the purposes and means of the processing". The Court of Justice specified that

'the existence of joint responsibility of the various actors does not necessarily mean that

they are equally responsible for one and the same processing of personal data. On the

contrary, those actors may be involved at different stages and to different degrees, so that

the assessment of the level of responsibility of each of them must take account of all the

148
relevant circumstances of the particular case' .

364. Again, the EDPB further explained that the assessment of joint processing responsibility

should be based on a factual rather than a formal analysis of the actual impact on the

purposes and means of processing 149.

365. First of all, the Litigation Chamber underlines that an identical decision does not necessarily

have to exist in order to speak of joint processing responsibility; it is sufficient that the

defined purposes are complementary to eachother 15.TheEDPB also emphasises thatjoint

participation in the definition of the means and purposes may take the form of a common

decision as well as result from different yet converging decisions of two or more entities
151
regarding the purposes and essential means of a data processing operation .

366. Decisions may be considered to be convergent ifthey are complementary and necessary

for the processing in a way that confers a tangible influence on the determination of the

purposes and means of processing. The question to be asked is whether the intended

processing of personal data would be impossible without the participation of all parties,

more specifically, whether the processing activities carried out by each party are

inseparable and indivisible.

367. Both in its submissions and during the hearing, IAB Europe emphasised that the TCF and

the OpenRTB system are completely independent from each other, in the sense that even

withoutparticipationintheTCF, adtechvendors can freelyprocess personal datawithinthe

context of the OpenRTB. On the other hand, the complainants have always referred to the

148
CJEU Judgment of 10 July 2018, Tietosuojavaltuutettu et Jehovan todistajat - uskonnollinen yhdyskunta, C-25/17,
ECLI:EU:C:2018:551,para.66andCJEUJudgmentof29July2019,FashionIDGmbH&Co.KG,C-40/17,ECLI:EU:C:2019:629,
para. 70.
149EDPB - Guidelines 7/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para.52.
150
Opinion of Advocate General Bobek in Fashion ID, C-40/17, ECLI: EU:C:2018:1039, paragraph 105: "Even though the
specific commercial use of the data may not be the same, both the defendant and Facebook Ireland appear to be pursuing
commercialpurposesingeneralthatappeartobecomplementary.Althoughthereisnoidenticalpurpose,thereisaunity of
purpose, namely a commercial and an advertising purpose.”
151
EDPB - Guidelines 7/2020 on the concepts of controller and processor in the GDPR, v2.0, 2021, para.54.

80, inherent interconnectedness between OpenRTB and the TCF, which the defendant itself
152
would confirm - according to the complainants - in the TCF Implementation Guidelines .

368. The Litigation Chamber finds that the defendant's argument cannot be followed, given that

the defendant repeatedly states in its submissions, that the reason for the existence of the

TCF is precisely to bring the processing of personal data based on the OpenRTB protocol,

among others, into conformity with the applicable regulations, including the GDPR and the

ePrivacy directive. Although the Litigation Chamber understands that the TCF may also be

153
used by publishers for other applications , whether or not in collaboration with CMPs, it is

equally certain that the TCF was never intended to be a stand-alone, independent

ecosystem.

369. On the contrary, the Litigation Chamber notes that the Transparency and Consent

Framework includes policies and technical specifications that should enable website and

application publishers (publishers) and adtech partners that support the targeting, delivery

and measurement of advertising and content (adtech vendors) to disclose transparently

their processing purposes, to establish a legal basis for the processing of personal data for
154
the provision of digital advertising, and to obtain consent or identify objections of users .

370. Thus, the Litigation Chamber finds that the decisions translated by IAB Europe into the

provisions of the TCF policies and technical specifications, on the one hand, and the

means and purposes determined by the participating organisations in relation to the

processing - whether or not in the context of OpenRTB - of users' personal data, , on the

other hand, must be regarded as convergent decisions 155. IAB Europe provides an

ecosystem within which the consent, objections and preferences of users are collected

and exchanged not for its own purposes or self-preservation, but to facilitate further

processing by third parties (i.e. publishers and adtech vendors).

371. As a result, the Litigation Chamber finds that IAB Europe and the respective participating

organisations should be considered as joint controllers for the collection and subsequent

dissemination of users' consent, objections and preferences, as well as for the related

processing of their personal data, without the responsibility of participating CMPs and

adtech vendors detracting from IAB Europe's responsibility.

152https://github.com/InteractiveAdvertisingBureau/GDPR-Transparency-and-Consent-
Framework/blob/master/TCFv2/TCF-Implementation-Guidelines.md#how-does-the-tc-string-apply-to-non-openrtb-
situations.
153
Thus, the TCF can also be used for non-marketing-related purposes, e.g. audience measurement, performance
measurement, etc.
154Defendant's reply brief dd. 25 March 2021, para. 33.
155
See para. 365-366.

81, a. Consent Management Platforms (CMPs)

372. The CMPs ensure the technical implementation of consent banners through which data

subjects indicate their choices regarding the processing of their personal data.

373. Specifically, CMPs have the function of storing users' consent, objections and preferences

in the TC String, then storing the value in the form of a euconsent-v2 cookie in the browsers

used to visit the website, and finally providing an API to adtech vendors so that they can

156
access the consent, objection and preference values for each individual user .

374. CMPs that wish to register in the IAB Europe TCF v2.0 should implement the standardised

processing purposes and functionalities in their user interface to collect and store the

preferences of the data subject in this regard 15. They must also comply with the applicable

lawful principles, as set out in the IAB Europe TCF v2.0.

375. The Litigation Chamber has already established that the TC String in itself does not directly

identify persons or devices. However, once the TC String is placed on the user's device, a

CMPcanassignauniqueidentifiertothisTCString, i.e.theIPaddressofthedeviceonwhich

158
it is placed in the form of an euconsent-v2 cookie .

376. To provide a CMP interface to users, publishers need to implement the CMP JavaScript

code on their website. This code is then loaded directly from the CMP server or via the

delegated subdomain. As a result of this HTTP(S) request, both the publisher's server and

the CMP's server gain access to the IP address of the user visiting the website and seeing

the CMP interface 15.

377. Access to that IP address allows CMPs to enrich the consent, objection and preferences

contained in the TC String with other information already in their possession or in the

possession of the publisher and linked to that same IP address. On this basis, the Litigation

Chamber concludes that CMPs process a large number of personal data.

378. The Litigation Chamber assesses the extent to which the CMPs act as processors or as

(joint) controllers in the following paragraphs.

379. According to the defendant, as laid down in its TCF Policies, CMPs are in principle

160
considered to be processors . The Litigation Chamber disagrees with this view for the

following reasons. The CMPs' main task is to develop and provide interfaces that can have

156
C. SANTOS, M. NOUWENS , M. OTH, N. IELOVA, V. OCA , "Consent Management Platforms Under the GDPR: Processors
and/or Controllers?", in Privacy Technologies and Policy, APF 2021, LNCS, vol 12703, Springer, 2021, p. 50.
157IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), pp. 9 ff.
158
See para. 302 et seq. of this decision. See also C. ANTOS , M. NOUWENS , M. TOTH, N. BIELOVA, V. OCA, "Consent
Management Platforms Under the GDPR: Processors and/or Controllers?", in Privacy Technologies and Policy, APF 2021,
LNCS, vol 12703, Springer, 2021,p. 50.
159
Ibidem, p. 5.
160IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), pp. 9 ff.

82, a direct impact on the choice of the data subjects. The CMPs therefore play a key role, not

only in the context of the TCF, but also with regard to the processing of personal data under

the OpenRTB. They are therefore obliged to comply with the data protection principles laid

down in Article 5.1 of the GDPR (lawfulness, fairness and transparency of the processing of

personal data).

380. Although the TCF Policies prohibit CMPs from giving any preference to particular adtech

vendors on the Global Vendors List, and they must therefore in principle present all
161
registered adtech vendors to users, unless otherwise provided by the publishers , some

authors note that a number of CMPs do not comply with this requirement. This is done

either by imposing pre-selected adtech vendors on the publishers or by denying them the

162
possibility of deviating from the full list of adtech vendors by default .

381. Itis also worth noting that CMPs have a wide margin of appreciationregarding the interface

they offer to users. After all, the TCF policies impose only minimum interface requirements

on participating CMPs 163, with the result that in practice the interfaces and compliance with

the principles of fairness and transparency can vary greatly depending on which CMP the

website and application publishers work with 164.

382. Theforegoing findings lead theLitigationChamber to concludethatCMPs play asignificant

roleand therefore bear (joint) responsibility 165withregard to thepurposes and means ofthe

processing of users' personal data within the TCF and the OpenRTB system.

383. The Litigation Chamber notes, however, that this conclusion does not mean that all CMPs

must systematically be considered as joint-controllers together with IAB Europe and the

website publishers, or that the scope of the joint-controllership is without boundaries. As

166 167
explained earlier in this decision , the list of CMPs implementing the TCF is limitative

due to the mandatory registration and approval process with IAB Europe, as Managing

Organisation.TheLitigationChamber findsthejointcontrollershipestablishedinrelationto,

respectively:

i. the website or application publisher,

ii. the specific CMP implemented by the publisher and providing the TCF interface to

users,

161IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), p. 9, § 8 and p. 10, § 11.
162
C. SANTOS , M. OUWENS , M. OTH, N. IELOVA, V. OCA , "Consent Management Platforms Under the GDPR: Processors
and/or Controllers?", in Privacy Technologies and Policy, APF 2021, LNCS, vol 12703, Springer, 2021, pp. 57-59.
163IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), pp. 61 ff.

164Technical Analysis Report of the Inspection Service, 6 January 2020 (Exhibit 53), pp. 99-103.
165See para. 360 of this decision on the processing responsibility of IAB Europe for determining therecipients.

166See para. 102; 341 ; 344; 356-360; and 374.
167As of November 2021, the list of registered CMPs comprises 76entries: https://iabeurope.eu/cmp-list/.

83, iii. IAB Europe, as Managing Organization.

In this respect, the Litigation Chamber underlines that appropriate arrangements must be

made between the respective joint-controllers, in accordance with the requirements

foreseen under Article 26 GDPR.

384. CMPs are in principle required under the TCF Policies — developed and administered by the

defendant —toofferbydefaultallTCF-registeredadtechvendors intheirinterface.IfCMPs

apply the TCF Policies, the Litigation Chamber finds that the defendant is responsible for

the essential means of processing, since IAB Europe determines the recipients of the

personal data collected, and is thus jointly responsible for the transmission of the personal

data, including some data in the bid request.

385. If, on the other hand, the CMPs deviate from the TCF Policies, the Litigation Chamber

considers that this time the CMPs themselves act as data controllers in respect of the

recipientsofthepersonal data.To theextentthatCMPsdo notcomply withtheinstructions

imposed on them, they themselves are fully responsible 16, in line with Article 28.10 GDPR.

386. Finally, when the CMPs determine the list of recipients in accordance with the publishers'

instructions, the Litigation Chamber finds that the publishers bear the main responsibility

for the transfer of personal data to adtech vendors, without prejudice to IAB Europe’s

responsibility, without which the global list of participating adtech vendors would not exist

in the first place.

b. Publishers

387. Publishers usually act as data controllers in the context of the TCF, as they are supposed to

decide whether or not to cooperate with a registered CMP, and are also able to determine

which adtech vendors are allowed to advertise on their website or in their application. In

addition, publishers can exercise control over the legal ground for a specific processing

purpose, and they can exclude certain processing purposes 16.

388. Bid requests are sent by supply-side platforms (SSPs), in their capacity as representatives

of the publishers, to demand-side platforms (DSPs), which represent adtech vendors. The

format and content(or "attributes") ofsuch bid requests are determined in accordancewith

the technical specifications of the OpenRTB protocol, independently of the TCF.

389. As confirmed by the reports of the Inspection Service, IAB Europe is not involved in

determining the attributes of a specific bid request. It is primarily the publishers of websites

168
EDPB - Guidelines 7.2020 on the concepts of controller and processor in the GDPR, v2.0, para. 150.
169IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), pp. 21-22.

84, and applications who decide which attributes are included in a bid request and passed on to

the adtech vendors.

390. A bid request contains at least a unique identifier for each bid request (Bid ID) and a unique

identifier for the advertising space being auctioned (Item ID). In addition, a bid request will

typically contain information about the user device, user details, website or application, and

technical details about the advertising space (Impression) 17.

391. Onthebasis oftheforegoing, theLitigationChamber finds thatthe bid request contains the

most personal data, and that these data are not processed by the defendant, but mainly by

the publishers, the CMPs and the various adtech vendors who, in principle, are all required

to comply with the values of the TC String, in accordance with the policies of the TCF.

392. To the extent that a publisher relies on a CMP that has implemented the TCF, the bid

request will also contain a TC String indicating the preferences of the website visitor or

application user. The Litigation Chamber is of the opinion that this can be considered not

only as additional evidence that the TC String is indeed personal data, as it concerns

information relating to an identifiable natural person 171, but also demonstrates that the

preferences stored in the TC String have a direct and significant effect on the subsequent

processing activities.

393. Therefore, if a user knowingly or unknowingly gives his consent by means of an "accept all"

button in a CMP interface, and both the website publisher and the CMP have not deviated

from the full list of participating adtech vendors, this means that the personal data of the

data subject will be shared with hundreds of third parties.

394. InlinewithitsprevioussubmissionwithregardtoCMPs 17,theLitigationChamberrulesthat

publishersalsoactasdatacontrollersfortheprocessingofusers'preferencesinaTCString

as well as their personal data processed in a bid request.

395. In addition, theLitigation Chamber refers to Article 23.5 of the TCF Policies, which prohibits

publishers from changing the processing purposes, or giving CMPs any instruction to that
173
effect .

396. Therefore, insofar as the publishers decide not to deviate from the proposed default list of

adtech vendors and accept all the proposed processing purposes, the Litigation Chamber

also considers that IAB Europe is acting as a joint data controller with the publishers in

170
Technical Analysis Report of the Inspection Service, 4 June 2019(Exhibit 24), pp. 12-13.
17See para. 291 et seq. of this decision.
17See para. 382 et seq. of this decision.
173
IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), pp. 22-23.

85, respect of the recipients of the TC String as well as the processing purposes for which the

users' personal data will be processed.

c. Adtech vendors

397. The Litigation Chamber has already determined that IAB Europe bears responsibility with

regard to defining the various processing purposes under the TCF 174.

398. When registering for TCF v2.0, adtech vendors must also choose the intended processing

purposes and possible bases, based on a predetermined, fixed list of purposes.

399. In this sense, the Litigation Chamber finds that the adtech vendors, together with the

defendant, are jointly responsible for the processing operations that take place within the

context of the OpenRTB for the processing purposes foreseen under the TCF and in

accordance with the preferences, objections and consents collected within the TCF. The

latter aspect, however, does not affect the role that adtech vendors themselves play when

they specify the purposes for which they themselves wish to process the personal data

contained in a bid request, or for subsequent data processing not provided for under the

TCF 17.

400. Moreover, theLitigationChamber makes it clear that, similarly to theCMPs, adtech vendors

are also required to register with the TCF in order to benefit from it. This means that the

joint-controllership is limited to the registered adtech vendors 176.

d. Assessment by the Litigation Chamber

401. This factual analysis of the role of CMPs, publishers and adtech vendors shows that the

decisions on determining the purposes and means of the processing activities carried out

by the defendant within the context of the TCF (which aim to bring the processing activities

carried out by the aforementioned participating organisations in line with the GDPR and the

ePrivacy Directive) complement the decisions regarding the purposes and means of the

processing activities carried out by the participating organisations under the OpenRTB and

should thus be regarded as convergent decisions.

402. This leads the Litigation Chamber to the conclusion that the defendant as well as the

CMPs, publishers and participating adtech vendors should be regarded as joint data

controllers for the collection and dissemination of users' preferences, objections and

consent and for the subsequent processing of their personal data.

17See para. 331 et seq. of this decision.
175WP171 - Opinion 2.2010 on Online Behavioural Advertising, pp. 10-11.

176https://iabeurope.eu/vendor-list-tcf-v2-0/.

86,B.4. On the alleged breaches of the General Data Protection Regulation

B.4.1 - Lawfulness and fairness of processing (Art. 5.1.a and 6 GDPR)

403. With regard to the lawfulness and fairness of the processing, the Litigation Chamber

distinguishes two processing activities: on the one hand, the capture itself of the consent

signal, objections and preferences of users in the TC String by the CMPs (a), and, on the

other hand, the collection and dissemination of the users' personal data by the participating

organisations (b).

a. Registration of the consent signal, objections and users' preferences by means of the TC

String

404. The Litigation Chamber finds that users are not informed anywhere of the lawful basis for

the processing of their own, individual preferences in relation to purposes and permitted

adtech vendors by CMPs.

405. Theunderlying reasoning ofthedefendantinthis regard is thattheTC String is notpersonal

data and therefore no basis for its processing is required.

406. As already established, the Litigation Chamber does not agree with the defendant's

position17. The Litigation Chamber has established that the generation and dissemination

of the TC String does involve the processing of personal data. 178 Consequently, this

processing must in any case be based on one of the exhaustively listed processing grounds

under Article 6 of the GDPR. For this reason, the Litigation Chamber will consider the

question of whether one of the legal bases of Article 6 GDPR can be relied on.

407. First of all, the Litigation Chamber finds that neither the TCF Policies nor the TCF

Implementation Guidelines mention an obligation on the part of the CMPs to obtain the

unambiguous consent of users before capturing their preferences in a TC String, which is

placed ontheend devices ofusers thanks to a euconsent-v2 cookie.Furthermore, users are

never informed about the processing of their preferences by the TC String, with whom their

preferences are shared, nor how long their preferences are stored. Since the visitors'

consent is never asked, Article 6.1.a de facto does not apply as a legal basis for this

processing.

408. In addition, the Litigation Chamber points out that Article 6.1.b is prima facie not applicable

to the processing of user preferences and the TC String. In the majority of the cases, even

if there were a contractual relationship between the users and the publisher, the data

processing involved under the TCF would still not meet the requirement of objective

177
See supra B.1.1. – Presence of personal data within the TCF.
17See supra B.1.2. - Processing of personal data within the TCF.

87, necessity for the provision of online services by the publishers to the users concerned (in

particular for processing for the purposes of personalisation of content and for advertising
179
based on surfing behaviour) .

409. In the absence of any contractual relationship between the data subjects and CMPs or IAB

Europe, as well as an unambiguous consent given by the users for placing a euconsent-v2

cookie, the Litigation Chamber must assess whether Article 6.1.f (legitimate interest) could

serve as legal basis: does the legitimate interest pass the threefold test of the CJEU and, if

so, could Article 6.1.f GDPR serve as a basis for this preliminary processing of the users'

preferences by CMPs, inaccordancewith themeans and purposes as setoutby IAB Europe

in its TCF Policies and TCF Implementation Guidelines?

410. In order to rely on Article 6.1.f GDPR as a legal ground for the processing of personal data,

the legitimate interest of the controller or third parties, which is closely related to (yet

distinct from) the concept of processing purpose, must be balanced against the interests or

fundamental rights and freedoms of the data subjects. Whereas 'purpose' refers to the

specific reason why the data are processed, i.e. the aim or intention of the data processing,

the notion of interest is linked to the broader stake that a controller may have in the

processing, or the benefit that the controller — or a third party, which must not necessarily
180
qualify asaco-controllerinrespectofthedataprocessing —derivesfromtheprocessing .

411. Pursuant to Article 6.1.f of the GDPR and the case law of the Court of Justice, three

cumulative conditions must be met in order for a controller to be able to validly rely on this

grounds for lawfulness, "namely, firstly, the legitimate interests pursued by the controller

or by the third party or parties to whom the data are disclosed, secondly, the necessity of

processing the personal data for the purposes of the legitimate interest pursued and,

thirdly, the condition that the fundamental rights and freedoms of the data subject are not

181
prejudiced" (Rigas judgment ).

412. In order to be able to invoke the ground for lawfulness of "legitimate interest" under Article

6.1.f of the GDPR, the controller must demonstrate, in other words, that:

1) the interests it pursues with the processing can be recognised as legitimate (the

'purpose test');

179EDPB - Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision
of online services to data subjects, v2.0, 8 October 2019, para. 23 et seq., para. 52 et seq. and para. 57 et seq.,
https://edpb.europa.eu. This is asituation different from the pending case before the Court of Justice C-446/21, Maximilian

Schrems vs. Facebook Ireland Ltd.
180CJEU Judgment of 11 December2019, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18,ECLI:EU:C:2019:1064,
para. 44.
181
CJEU Judgment of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde t. Rīgas pašvaldības
SIA "Rīgas satiksme", C-13/16; ECLI: EU:C:2017:336, paragraphs 28-31. See also CJEU Judgment of 11 December 2019, TK
v. Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064, para. 40.

88, 2) the processing envisaged is necessary for the purposes of achieving those

interests (the "necessity test"); and

3) the balancing of these interests against the interests, fundamental freedoms and

rights of data subjects weighs in favour of the data controller or a third party (the

"balancing test").

413. As regards the first condition, the Litigation Chamber considers that the purpose of

capturing users' approval and preferences in order to ensure and be able to demonstrate

thatusers havevalidly consented to or not objected to theprocessing oftheir personal data

for advertising purposes may be considered to be carried out for a legitimate interest.

414. The interest pursued by the defendant as the data controller may, in accordance with

recital 47 of the GDPR, be regarded as legitimate in itself. More specifically, the possibility

of storing the preferences of users 182is an essential part of the TCF and the Litigation

Chamber notes thatthis isdoneinthelegitimateinterestofthedefendantas well as ofthird

parties involved, such as the participating adtech vendors.

415. Thus, the first condition set out in Article 6.1.f of the GDPR is fulfilled.

416. In order to fulfil the second condition, it must then be demonstrated that the processing is

necessary for the achievement of the purposes pursued. This means, in particular, that the

question must be asked whether the same result can be achieved by other means without

processing personal data or without processing that is unnecessarily burdensome for the

data subjects.

417. In view of the objective of enabling both website or application publishers and participating

adtechproviderstocommunicatethepurposesoftheirprocessinginatransparentmanner,

to establish a valid legal basis for the processing of personal data for the purpose of

providingdigitaladvertising,andtoobtainconsent — ortoidentifywhetheranobjectionhas

been raised to the processing of data based on their legitimate interest 183, the Litigation

ChambermustverifywhetherthepersonaldataincludedintheTCString arelimitedtowhat

is strictly necessary to capture the consent, objections and preferences of a specific user.

418. This second condition is also met by compliance with the principle of data minimisation

(Article 5.1.c of the GDPR). The Litigation Chamber notes that the information processed in

a TC String 184is limited to data that are strictly necessary to achieve the intended purpose.

182
Includingthecollectionofavalidconsentpriortotheprocessingofpersonaldata,orthepossibilityfortheuserstoobject
to a processing based on Article6.1.f GDPR at the time of the collection of personal data.
183IAB Europe Transparency & Consent Framework - Policies, Version 2020-11-18.3.2a, p. 5, https://iabeurope.eu/iab-
europe-transparency-consent-framework-policies/

18See para. 300 and 301 of this decision.

89, In addition, based on the documents in this file and the parties' defences, the Litigation

Chamber has not been able to establish that the TC String is retained indefinitely.

419. In order to verify whether the third condition of Article 6.1.f of the GDPR — the so-called

"balancing test" between the interests of the data controller, on the one hand, and the

fundamental freedoms and rights of the data subject, on the other hand — can be met, the

reasonable expectations of the data subject must be taken into account in accordance with

recital 47 of the GDPR. In particular, it should be evaluated whether the data subject “may

reasonably expect, at the time and in the context of the collection of personal data, that

185
processing may take place for that purpose” .

420. This is also emphasised by the Court ofJustice inits judgment"AsociaţiadeProprietari bloc

186
M5A-ScaraA" , in which it states:

“Alsorelevantforthisarethedatasubject'sreasonableexpectationsthathisorherpersonal

data will not be processed when, in the given circumstances of the case, the data subject

cannot reasonably expect further processing of the data.”

421. In this regard, the Litigation Chamber finds it remarkable that no option is offered to users

to completely oppose the processing of their preferences in the context of the TCF.

Regardless of which choice they make, the CMP will generate a TC String before linking it

to the user's unique User ID through a euconsent-v2 cookie placed on the data subject's

end device.

422. Moreover, since users are not informed of the installation of an euconsent-v2 cookie on

their terminal device, whether or not they agree with the purposes and adtech vendors

offered by the CMP, and moreover they are not informed of their right to object to such

processing, the Litigation Chamber finds that the last condition of Article 6.1.f of the GDPR

is currently not met.

423. The severity of the breach of the data subject's rights and freedoms is also an essential

element of the assessment under Article 6.1.f GDPR. The result of this assessment
187
depends on the particular circumstances of a specific case . In this context, according to

the Court of Justice, particular account should be taken of 'the nature of the personal data

concerned, inparticular their potentially sensitive nature, and ofthe nature and specific way

in which they are processed, in particular the number of persons having access to them and

the way in which they acquire such access' 188. In this context, the Litigation Chamber

185Recital 47 of the GDPR.
186
CJEU Judgment of 11 December2019, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18,ECLI:EU:C:2019:1064,
para. 58.
187Ibidem, para. 56.
188
CJEU Judgment of 11 December 2019, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18,ECLI:EU:C:2019:1064,
para. 57.

90, emphasises the large number of participating organisations that are given access to the TC

String, in addition to the reduced control by the data subjects over the nature and the scope

of the processing of their personal data by these organisations.

424. In the absence of a valid legal basis, the Litigation Chamber rules that the data

processing in the context of the TCF in its current format, whereby CMPs capture the

preferences of online users in a TC String, does not comply with Article 6 of the GDPR.

425. It is therefore undeniable to the Litigation Chamber that IAB Europe, as Managing

Organisation for the TCF, has failed to provide a legal basis for the processing of user

preferences in the form of a TC String and has therefore breached article 6 GDPR.

b. Collection and dissemination of personal data in the context of the RTB

426. It is in no way disputed that the TCF is aimed at capturing, through the interfaces offered by

the CMPs, the consent of users or their lack of objection to the legitimate interests of the

participating adtech vendors.

427. For the record, the Litigation Chamber emphasises that these two bases relate to

processing activities that take place under the RTB, in accordance with the OpenRTB

protocol.

428. However, the Litigation Chamber finds that none of the legal grounds proposed and

implemented by the TCF can be lawfully invoked by TCF participants. First of all, the

LitigationChamber considers that theconsentof the datasubjects obtained throughCMPs

is not legally valid (i) nor is the (pre)contractual necessity applicable (ii). Furthermore, the

LitigationChamber finds thatthelegitimateinterestdoes notmeetthethreefold testofthe

CJEU (iii). Thus, Article 6 of the GDPR is infringed.

(i) - Consent is not a valid basis for the processing operations in the OpenRTB

facilitated by the TCF

429. Inorder to ensurethat publishers and adtechvendors comply withthestricter transparency

and consent requirements under the GDPR with respect to the processing of personal data

in the context of OpenRTB (or RTB in general), CMPs provide a relatively standardised

interface for users to choose whether to consent or object to the transfer of their personal

data to hundreds of third parties at once, for specified purposes.

430. On the basis of the documents in this file, the Litigation Chamber understands that the

participants can pursue one or more purposes from the 12 standardised purposes that the

91, TCF makes availableto participating adtechvendors and thatareoffered tousers bymeans

189
of the CMPs .

431. However, the system of CMPs poses problems on several levels, with the result that the

consent obtained by these CMPs (via the TCF) for the processing carried out in the context

of the OpenRTB is not legally valid in light of Article 7 GDPR.

432. In order to be used as a legitimate basis, consent under Article 7 of the GDPR must meet

strict conditions. However, for the reasons set out below, the Litigation Chamber finds that

the consent collected by CMPs and publishers in the current version of the TCF is

insufficiently free, specific, informed and unambiguous.

433. First of all, the Litigation Chamber finds that the proposed processing purposes are not

sufficiently clearly described, and in some cases are even misleading 19. By way of example,

theLitigationChamberfindsthatpurpose8("Measurecontentperformance")and9("Apply

market research to generate audience insights") 191provide little or no insight into the scope

of the processing, the nature of the personal data processed or for how long the personal

data processed will be retained if the user does not withdraw his consent.

434. Furthermore, based on the documents in the file, the Litigation Chamber understands that

the user interface of the CMPs does not provide an overview of the categories of data

collected, which makes it impossible for users to give their informed consent.

435. The Litigation Chamber also notes that the TCF makes it particularly difficult for users to

obtainmoreinformationabouttheidentityofall data controllers to whomtheygiveconsent

to process their data for certain purposes before obtaining their consent. In particular, the

recipients for whom consent is obtained are so numerous that users would need a

disproportionate amount of time to read this information, which means that their consent

can rarely be sufficiently informed.

436. Moreover,theinformationCMPsprovidetousersremainstoogeneraltoreflectthespecific

processing operations of each vendor, thus preventing the necessary granularity of

consent.

437. In addition, the Litigation Chamber takes the view that the enrichment of the data in a bid

request with personal data already held by the adtech vendors and the relevant Data

Management Platforms means that users cannot possibly be properly informed, since the

TCF in its current format does not provide for participating organisations to indicate what

189For an overview of these TCF purposes, see para. 337 of this decision.
190See para. 465 et seq. of this decision.

19IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), pp. 34-36.

92, personal data they already hold and what processing operations they already perform with

these data.

438. Finally, the Litigation Chamber finds that consent, once obtained by CMPs, cannot be

withdrawn by users as easily as it was given, as required by Article 7 GDPR. First of all, the

Litigation Chamber notes that under the TCF Policies, adtech vendors are required to

comply with a user's consent signals in real time 192, while no measure is provided to ensure

that adtech vendors cannot continue their processing based on a previously received

consent signal. After all, the TCF does not provide for proactive communication of the

changed consent signals to the adtech vendors. In addition, adtech vendors can in principle

no longer access the personal data of the data subject after the latter has withdrawn his

consent, which also means that they cannot identify the user for whom consent has been

withdrawn as such, with the result that the adtech vendors will continue to process the

193
personal data of the user in question .

439. Indeed, the Litigation Chamber understands that CMPs are at the intersection between

users and participating adtech vendors, who receive their personal data and then process

them for their own purposes. Such a configuration therefore means that the withdrawal of

a consent via a CMP will only take effect as soon as the vendor concerned reads the new

values in the modified TC String via the CMP API. In other words, the withdrawal of consent

is never immediate and thus cannot be considered effective.

440. Therefore, the Litigation Chamber concludes that Article 6.1.a GDPR does not constitute a

valid legal basis for the processing and dissemination of personal data in the context of the

OpenRTB, insofar as such consent was obtained in accordance with the TCF in its current

format.

(ii) - The legitimate interest of the participating organisations does not outweigh

theprotectionofthefundamentalrightsandfreedomsofthedatasubjects.

441. The question is then to what extent the organisations participating both in the TCF and the

OpenRTB (adtech vendors) can legitimately rely on Article 6.1.f GDPR for the predefined

processing purposes that entail targeted advertising or profiling of theusers, as opposed to

non-marketing related purposes such as audience measurement and performance

measurement.

442. As referred to previously 194, the assessment of the legitimate interests should be done on

the basis of the three steps approach established by the Court of Justice. This assessment

192
IAB Europe Transparency & Consent Framework Policies v2020-11-18.3.2.a (Exhibit B.13), p. 14.
193For more information, see: MEALE, R. UIDERVEENBORGESIUS, "Adtech and Real-Time Bidding under European Data
Protection Law", German Law Journal, 31 July 2021, p. 26.
194
See para. 411 et seq.

93, shall be conducted by the data controllers prior to a processing operation based on Article

6.1.f GDPR. They determine the means and purposes of the intended personal data

processing activities and are thus able to apply appropriate safeguards to prevent a

disproportionateimpact onthe datasubjects. In caseofseveral controllers which are jointly

responsible, the principles of accountability and transparency require that the assessment

should be performed jointly by all the data controllers involved in the processing.

443. As stated by theArticle29 Working Party, bothpositive and negativeconsequences should

be taken into consideration when assessing the impact of the processing, which must be

necessary and proportionate to achieve the legitimate interests pursued by the data

controllers or a third party. Such consequences may include “potential future decisions or

actions by third parties, and situations where the processing may lead to the exclusion of,

or discrimination against, individuals, defamation, or more broadly, situations where there is
195
a risk of damaging the reputation, negotiating power, or autonomy of the data subject” .

444. With regard to the purpose test, in particular whether the interests pursued by publishers

and adtech vendors in processing personal data can be recognised as legitimate, the

Litigation Chamber understands that the participating organisations have an interest in

collecting and processing users' personal data in order to be able to offer tailor-made

advertisements.

445. Based on the case law of the Court of Justice and the guidelines of the EDPB, the Litigation

Chamber finds that the notion of legitimate interest can have a broad scope, with the

understanding that an interest invoked by a data controller must be sufficiently specific,

existent, current, and not hypothetical 19.

446. In this regard, the Litigation Chamber can only note that the proposed processing purposes

are described in general terms, with the result that it is not easy for users to assess to what

extent the collection, dissemination and processing of their personal data are necessary for

the intended purposes, insofar as these are also understood by the users.

447. In order to be relevant, a legitimate interest must be in accordance with applicable EU and

national law; sufficiently specific and clearly articulated to allow the balancing test to be

carried out, and represent a real and present interest. Hence, merely invoking a legitimate

interest in the processing of personal data is not sufficient; the outcome of the balancing

test will determine whether Article 6.1.f GDPR can be relied upon 19.

195
Article 29 Working Party – Opinion 06.2014on the notion of legitimate interests of the data controller under article 7 of
Directive 95-46-EC (WP217), p. 37.
196CJEU Judgment of 11 December2019, TK v. Asociaţia de Proprietari bloc M5A-ScaraA, C-708/18, ECLI:EU:C:2019:1064,
para. 44.

197Ibidem, p. 25.

94, 448. The TCF Policies do not foresee an obligation for the CMPs to explain the legitimate

interests at stake in clear terms to the users. Instead, the specific user interface (UI)

requirements contained in the TCF Policies for framework UIs in connection with legitimate
198
interests, only require from the CMPs that a secondary information layer be provided ,

allowing the users to:

i. see information about the fact that personal data is processed, and the nature of

the personal data processed (e.g. unique identifiers, browsing data);

ii. see information about the scope of the legitimate interest processing and scope of

any objection to such processing;

iii. access settings within the Framework UI to object to processing of their personal

data on the basis of a legitimate interest;

iv. review the list of processing purposes including their standard name and their full

standard description, as defined in Appendix A of the TCF Policies, and to provide

users with a way to see which vendors are processing their data for each of the

purposes on the basis of a legitimate interest;

v. exercise their right to object, either with respect to each adtech provider whose

processing is based on legitimate interest or, separately, for each purpose pursued

by adtech providers on the basis of legitimate interest;

vi. review the list of named vendors, their purposes and legal bases, and find a link to

each vendor’s privacy policy.

449. By way of example, the Litigation Chamber refers to the definitions for processing purpose

5 (Create a personalised content profile), in Appendix A of the TCF Policies 19:

198
IAB Europe Transparency & Consent Framework Policies v2020-11-18.3.2a, pp. 67-68.
199IAB Europe Transparency & Consent Framework Policies v2020-11-18.3.2a, p. 32.

95, 450. Notwithstanding the fact that the TCF Policies state that they establish minimum

requirements for language, design and other elements in the Framework UI, intended to

align with legal requirements of EU privacy and data protection law, the Litigation Chamber

also notes that the general rules and requirements for framework UIs further specify that:

“b. When providing transparency about Purposes and Features, the Framework UI must do

so only on the basis of the standard Purpose, Special Purpose, Feature, and Special Feature

namesanddefinitionsofAppendixAastheyarepublishedontheGlobalVendorListorusing

Stacks 200in accordance with the Policies and Specifications. UIs must make available the

standard legal text of Purposes, Special Purposes, Features, and Special Features of

Appendix A but may substitute or supplement the standard legal definitions with the

standard user friendly text of Appendix A so long as the legal text remains available to the

user and it is explained that these legal texts are definitive.”

451. The Litigation Chamber interprets these general rules as prohibiting CMPs and publishers

participating to the TCF from further explaining to the data subjects, in a clear and user-

friendly manner, both the pursued legitimate interests as well as the reasons for believing

200Stacks are, in essence, combination of different processing purposes.

96, that their interests are not overridden by the interests or fundamental rights and freedoms

of the data subjects 20.

452. Although, in the context of the present case, the Litigation Chamber does not express an

202
opinion on whether an economic interest can be regarded as a legitimate interest within

themeaningofArticle6.1.foftheGDPR,it considers thatthelackofspecificityofthestated

purposes means that the first condition for specific lawful processing is not met with the

standard descriptions of the processing purposes and pursued interests, as imposed by the

TCF Policies.

453. In the context of the necessity test, which aims to determine whether the intended

processing operations are necessary for achieving the interests pursued, the question

should be asked whether the legitimate interests pursued by the processing of data could

not reasonably be achieved just as effectively by other means with less interference with

the fundamental freedoms and rights of data subjects, in particular their right to respect for

their privacy and their right to the protection of personal data as guaranteed by Articles 7

and 8 of the Charter 203.

454. The Court of Justice has also clarified that the condition of necessity of processing must be

204
examined in relation to the principle of data minimisation laid down in Article 5.1.c GDPR .

In other words, according to the EDPB, it is necessary to consider whether other, less

invasive means are available to achieve the same objective.

455. In this case, the Litigation Chamber understands that no safeguards are provided to ensure

that the personal data collected and disseminated are limited to information that is strictly

205
necessary for the purposes intended .

456. In the absence of measures that adequately demonstrate that no inappropriate personal

data are being disseminated, the Litigation Chamber is forced to decide that the second

condition has not been met.

457. With regard to the balancing test, in particular whether the interests pursued by the adtech

vendors outweigh the fundamental freedoms and rights of the data subjects, the

201Article 29 Working Party – Opinion 06.2014on the notion of legitimate interests of the data controller under article 7 of
Directive 95-46-EC (WP217), p. 47.
202
As opposed to the interest pursued by capturing the users’ choices in a TC String, as discussed in para. 404 et seq.
203CJEU Judgment of 4 May 2017, Valsts policijas Rīgas reģiona pārvaldes Kārtības policijas pārvalde t. Rīgas pašvaldības
SIA "Rīgas satiksme", C-13/16; ECLI: EU:C:2017:336, para. 47.
204
Ibidem, para. 48.
205In this respect, some authors argue that there are alternatives to RTB, in which only minimal information about the user
iscommunicated.SeeM.V EALE,FR.ZUIDERVEEN BORGESIUS,"AdtechandReal-TimeBiddingunderEuropeanDataProtection

Law",GermanLawJournal,31July 2021,pp.19et seq.The authorsreferinparticulartothebrowserplug-inAdnostic,which
wasdeveloped10yearsagoandbuildsupaprofilebasedontheuser'ssurfingbehaviourinordertotargetadvertisements,
with only minimal information leaving the user's device and behavioural targeting taking place exclusively in the user's
browser. In addition, the authors refer to Google's so-called Federated Learning of Cohorts (FLoC) system for
microtargeting within Chrome.

97, reasonable expectations of the data subjects should also be taken into account in

accordance with recital 47 of the GDPR, in addition to the special circumstances of the

particular case 206.

458. Thecriterionoftheseriousnessofthebreachoftherights and freedomsofthedatasubject

constitutes an essential element of the case-by-case assessment required by Article 6.1.f
207
GDPR . In this context, according to the Court of Justice, particular account should be

taken of 'the nature of the personal data concerned, in particular their potentially sensitive

nature, and of the nature and specific way in which they are processed, in particular the

208
numberofpersonshavingaccesstothemandthewayinwhichtheyacquiresuchaccess' .

459. Once again, the Litigation Chamber finds that due to the large number of TCF partners that

may receive their personal data, data subjects cannot reasonably expect the processing

associated with this disclosure. In addition, there is the considerable amount of data that, in

accordance with the preferences entered within the TCF system, is collected by means of

a bid request and transmitted to the adtech vendors within the context of the OpenRTB
209
protocol .

460. Furthermore, as the EDPB states, the legitimate interest does not constitute a sufficient

legal basis in the context of direct marketing involving behavioural advertising 210. In

addition, the ICO concluded in a recent report that the legitimate interest is not a basis for

legality in the context of RTB (yet many publishers rely on this legal ground for their
211
processing) . In short, in view of the above, the Litigation Chamber has decided that the

third condition imposed by Article 6.1.f GDPR and the case law of the Court of Justice has

not been met in this case.

461. In light of the aforementioned considerations, the Litigation Chamber finds that the

legitimate interest of participating organizations cannot be deemed an adequate legal

ground for the processing activities occurring under the OpenRTB, based on users’

preferences and choices captured under the TCF.

206
CJEU Judgment of 11 December2019, TK v.Asociaţia de Proprietari blocM5A-ScaraA, C-708/18,ECLI:EU:C:2019:1064,
para. 58.
207Ibidem, para. 56.
208
CJEU Judgment of 11 December2019, TK v.Asociaţia de Proprietari blocM5A-ScaraA, C-708/18,ECLI:EU:C:2019:1064,
para. 57.
209Norsk Forbrukerrådet - "Out of Control. How consumers are exploited by the online advertising industry", 14 January
2020, https://www.forbrukerradet.no/undersokelse/no-undersokelsekategori/report-out-of-control/, pp. 36-37; see also

Recommendation CM/Rec(2021)8 of the Committee of Ministers of the Council of Europe to member States on the
protectionofindividualswithregardtoautomaticprocessingofpersonaldatainthecontextofprofiling,3November2021:
https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680a46147.
210Article 29 Working Party - Opinion 03/2013 on purpose limitation (WP 203), 2 April 2013, p. 46: "consent should be

required, for example, for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-
brokering, location-basedadvertising or tracking-based digital market research".
211Information Commissioner's Office - "Update report into adtech and real time bidding", 20 June 2019,

https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl191220.pdf

98, (iii) - Contractual necessity is not a valid basis for the processing of

personal data in the context of TCF and OpenRTB

462. In line with the EDPB guidelines, the Litigation Chamber notes that, in general, the

(pre)contractual necessity of the processing is not a legal ground applicable to behavioural

212
advertising .

463. Moreover, the Litigation Chamber notes that the current version of the TCF does not

mention Article 6.1.b GDPR anywhere as a possible legal basis for the processing of

personal data within the TCF and OpenRTB.

464. Onthebasisofthe foregoingelements, theLitigationChamberthereforeconcludesthat

the processing of personal data under the OpenRTB on the basis of preferences

captured in accordance with the current version of the TCF is incompatible with the

GDPR, due to an inherent breach of the principles of lawfulness and fairness.

B.4.2. - Duty of transparency towards data subjects (Art. 12, 13 and 14 GDPR)

465. The complainants raise the issue of the lack of transparency, and more specifically the fact

that the OpenRTB ecosystem is so extensive that it is impossible for data subjects to give

an informed consent to the processing of their personal data, or to object in an informed

manner to the processing of their personal data on the basis of a legitimate interest.

466. The defendant, on the other hand, states that the TCF offers a solution to collect valid

consent from users, where applicable, in accordance with the requirements set out in the

GDPR and the ePrivacy Directive 213.

467. The Litigation Chamber finds that the information provided under the TCF in its current

format to data subjects, albeit for the purposes of processing their personal data in the

214
context of OpenRTB, does not meet the transparency requirements under the GDPR .

468. First of all, the Litigation Chamber states that IAB Europe may in certain cases claim the

215
"recordsofconsent"thatCMPs arerequiredtokeep,inaccordancewiththe TCFPolicies ,

but fails to inform data subjects of this possible processing by IAB Europe.

469. Secondly, the Litigation Chamber finds that the manner in which information is provided to

the data subjects, which was laid down by IAB Europe, does not comply with the

requirement of a "transparent, comprehensible and easily accessible form" 216. The former

212
EDPB - Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision
of online services to data subjects, v2.0, 8 October 2019, pp. 14 ff, https://edpb.europa.eu.
213IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32); IAB Europe Transparency &

Consent Framework Policies v2019-04-02.2c (Exhibit 38).
214See para. 433 et seq. of this decision.
215IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), pp. 11, 14and 19.
216
Art. 12.1 GDPR.

99, Article29Working Partystipulatesinitstransparencyguidelinesthat"therequirementthat

information and communication to data subjects be provided "in a concise, transparent,

comprehensible and easily accessibleform" means thatdata controllers should present the

information/communicationinanefficientandconcisemannerinordertoavoidinformation
217
fatigue" . Moreover, data subjects should be able to determine in advance the scope and

consequences of the processing and not be surprised later by other ways in which their

personal data have been used 21.

470. The Litigation Chamber finds that the approach taken so far does not meet the conditions

of transparency and fairness required by the GDPR. Indeed, some of the stated processing

purposes are expressed in too generic a manner for data subjects to be adequately

informed about the exact scope and nature of the processing of their personal data 219. This

isparticularlyproblematic forpurposesthatrely ontheconsentofdatasubjects,asconsent

220
must be specific and sufficiently informed in order to be valid as a legal basis .

471. The Litigation Chamber also refers to the examples of CMPs specified in the Technical

Report of the Inspection Service, and notes that the interface offered to users does not

allow, among other things, the processing purposes associated with the authorisation of a

particular vendor or which adtech vendors will process their data for a specific purpose to

221
be identified in a simple and clear manner .

472. In that regard, the Litigation Chamber emphasises that the large number of third parties, i.e.

the adtech vendors that will potentially receive and process the personal data of the users

contained in the bid request, based on the preferences they have submitted, is not

compatible with the condition of a sufficiently informed consent, nor with the broader

transparency duty set out in the GDPR.

473. On the basis of the foregoing elements, the Litigation Chamber must therefore rule that the

TCF inits currentset-up does notcomply withtheobligations arising from thetransparency

principle, notably Articles 12, 13 and 14 GDPR.

217WP260 - Guidance on transparency under the GDPR, para. 8.
218
WP260 - Guidance on transparency under the GDPR, para. 10.
219See para. 433 of this decision for examples as well as para. 441-452 for further analysis by the Litigation Chamber; see
alsoC.M ATT,C.S ANTOS,N.B IELOVA,"PurposesinIABEurope'sTCF:whichlegalbasisandhowaretheyusedbyadvertisers?",

in Privacy Technologies and Policy, APF 2020, LNCS, vol 12121, Springer, 2020, pp. 163-185.
220See para. 429-440 of this decision.
221
Technical Analysis Report of the Inspection Service, 6 January 2020 (Exhibit 53), pp. 99 et seq.

100, B.4.3. - Accountability (art. 24 GDPR), data protection by design and by default (Art. 25

GDPR), integrity and confidentiality (Art. 5.1.f GDPR), as well as security of processing (Art.

32 GDPR)

a. Principle of accountability and data protection by design and by default

474. Article 24.1 GDPR requires the data controller to implement appropriate technical and

organisational measures, taking into account the nature, scope, context and purposes of

processing as well as the risks of varying likelihood and severity for the rights and freedoms

of natural persons, to ensure and to be able to demonstrate that processing is performed in

accordance with the GDPR. Moreover, these measures shall be reviewed and updated as

necessary. This article reflects the principle of “accountability” set out in Article 5.2 of the

GDPR, according to which the controller shall be responsible for, and be able to

demonstrate compliance with, paragraph 1 (accountability). Article 24.2 of the GDPR

stipulates that, where proportionate in relation to processing activities, the measures

referred to in Article 24.1 GDPR shall include the implementation of appropriate data

protection policies by the controller.

475. Recital 74 of the GDPR adds that “the responsibility and liability of the controller for any

processing of personal data carried out by the controller or on the controller's behalf should

be established. It is important, in particular, that the controller is responsible for

implementing appropriate and effective measures and for demonstrating the conformityof

the processing activities with this regulation, including the effectiveness of the measures.

These measures must take account of the nature, scope, context and purpose of the

trafficking and the risk it poses to the rights and freedoms of physical persons”.

476. It is also incumbent on the controller, pursuant to Articles 24 (accountability) and 25 of the

GDPR (data protection by design and by default), to integrate the necessary respect for the

GDPR rules into its processing and procedures, e.g. to ensure the existence and

effectiveness of procedures for handling data subject requests and for checking the

integrity and compliance of the TC String.

b. The outline of the security obligation

477. Pursuant to Article 32 of the GDPR, the controller is responsible for ensuring the security of

the processing, “taking into account the state of the art, the costs of implementation and

the nature, scope, context and purposes of processing as well as the risk of varying

likelihood and severity for the rights and freedoms of natural persons”. In the present case,

the Litigation Chamber notes a lack of respect for the obligation to ensure the security of

processing on the part of the defendant, which is part of the principle of accountability. This

shortcoming will be addressed below.

101, 478. This failure to meet the obligation to ensure the security of processing constitutes a

fundamental point of the present decision and of the penalties it imposes. The absence of

technical and organisational measures aiming to ensure or tend to ensure the integrity of

the TC String is considered a serious offence.

479. On the basis of Article 5.1.f GDPR, personal data must be processed in such a way as to

ensure appropriate security, including protection against unauthorised or unlawful

processing and against accidental loss, destruction or damage, using appropriate technical

or organisational measures. In the absence of appropriate measures to secure the personal

data of the data subjects, the effectiveness of the respect of the fundamental rights to

privacy and to the protection of personal data cannot be guaranteed, especially in view of

the crucial role played by information and communication technologies in our society.

480. As indicated in the previous section, the lack of an obligation to ensure the security of
222
processing constitutes an important point in the decision . Given the very large number of

TC Strings generated each day within the TCF, it is essential that all the rules governing

participation in the TCF are observed and complied with by all the parties involved, under

the supervision of IAB Europe as the "Managing Organisation". The Litigation Chamber

recalls that the combined reading of articles 32 (Security of processing), as well as 5.2 and

24 GDPR (principle of accountability) requires the controller to demonstrate its compliance

with Article 32, by taking appropriate technical and organisational measures, in a

transparent and traceable manner.

481. The Litigation Chamber also recalls the requirement of Article 25 GDPR (data protection by

design and by default), which requires the data controller to integrate the necessary

compliance with the rules of the GDPR upstream of its actions.

482. Itshould alsobe noted thattheprincipleofsecuritywithitsvariouscomponentsofintegrity,

confidentiality and availability of the data is set out in Articles 5.1.f and 32 of the GDPR and

is now regulated in the GDPR at the same level as the fundamental principles of legality,

transparency and loyalty.

483. IAB Europe offers the TCF to make OpenRTB compliant with the GDPR. In other words, the

purpose of the TCF is to ensure that processing of personal data within the context of the

OpenRTB protocol takes place in accordance with the GDPR as well as the ePrivacy

Directive. Accordingly, IAB Europe, as Managing Organisation for the TCF and jointly
223
responsible for the processing operations carried out within that framework , should take

222
See para. 478 et seq. of this decision.
223See supra, title B.2. - Responsibility of IAB Europe for the processing operations within the Transparency and Consent
Framework.

102, organisational and technical measures to ensure that participants at least comply with the

TCF policies.

484. Notwithstanding the fact that in IAB Europe's current TCF system, adtech vendors receive

consent signals as part of an HTTP(S) request or via browser APIs, some authors take the

view that insufficient measures are in place under the TCF to guarantee the integrity of

consent signals (particularly their validity) and to ensure that a vendor has actually received
224
them (as opposed to having generated them itself) .

485. However, in the absence of validation by IAB Europe, it becomes theoretically possible for

CMPs to falsify or modify the signal to generate a euconsent-v2 cookie and thus reproduce

a "false consent" from users for all purposes and all adtech vendors. This case is also

explicitly provided for in the TCF Policies:

“A Vendor must not create Signals where no CMP has communicated a Signal and shall only

transmitSignalscommunicatedbyaCMPorreceivedfromaVendorwhoforwardedaSignal

originating from a CMP without extension, modification, or supplementation, except as
225
expressly allowed for in the Policies and/or Specifications.”

486. The Litigation Chamber takes note of the fact that the possibility of falsification or

modification of the TC String by CMPs is foreseen in the defendant's Transparency &

Consent Framework Policies document, which sets out the basis for the TCF.

487. The Litigation Chamber also relies on the fact that the defendant indicates on its website

the introduction of the "TCF Vendor Compliance Programme", through which audits of

226
organisations participating in the TCF (listed on the Global Vendors List) will take place .

The Litigation Chamber encourages all initiatives on the part of the defendant, that are

aimed at ensuring compliance with the obligation to process personal data under the TCF

in a secure manner on the part of the defendant. Nevertheless, in view of the defendant's

lack of systematic monitoring of compliance with the TCF rules by the participating

organisations, and taking into account the significant impact of such violations (e.g.

falsification or modification of the TC String), the Litigation Chamber considers that this

initiative to introduce the TCF Vendor Compliance Programme is insufficient to bring the

defendant into compliance with the security obligation.

488. In particular, the Litigation Chamber relies on the fact that the sanctions regime of this new

programme, provided by the defendant in the case of failure to comply with the rules of the

224See on this subject, for exampleANTOS,M.N OUWENS ,M.TOTH ,N.BIELOVA,V.ROCA, "Consent Management Platforms
UndertheGDPR:Processorsand/orControllers?",inPrivacyTechnologiesandPolicy,APF2021,LNCS,vol12703,Springer,

2021, p. 64.
225IAB Europe Transparency & Consent Framework Policies, Chapter III 13 (6), https://iabeurope.eu/iab-europe-
transparency-consent-framework-policies/#13_Working_with_CMPs
226
https://iabeurope.eu/blog/iab-europe-launches-new-tcf-vendor-compliance-programme/

103, TCF, is permissive and not dissuasive. In fact, a vendor may declare himself liable for a

breach up to 3 times, without any sanction, before being given 28 days to comply. Only in

the event of non-compliance after the expiry of the 28 days will the vendor be removed

fromthe Global Vendors List.Itcan also re-enter the listifit complies withtherequirements

later on. The programme also allows a vendor to be in breach up to four times, in order to

proceedtoanimmediatesuspensionduring abriefperiodof14days,untilthevendorcomes

into compliance. The " TCF Vendor Compliance Programme " is therefore not a sufficient

measure for ensuring the security of personal data processing operations carried out under

the TCF.

489. The Litigation Chamber also observes that no measures other than the « TCF Vendor

Compliance Programme » are foreseen by the defendant to monitor or prevent the

falsification or modification of the TC String.

490. With regard to the allegation by the plaintiffs that IAB Europe also violates Articles 44 to 49

GDPR, the Litigation Chamber acknowledges, in view of the scope of the Framework

— which involves a large number of participating organisations — that it is evident that

personal data captured in the TC Strings will be transferred outside the EEA at some point

by CMPs, and that the defendant is acting as data controller in this regard (see para. 356-

357). However, the Litigation Chamber notes that the Inspection Service did not include an

assessment of a concrete international data transfer in its report. For this reason, the

Litigation Chamber concludes that there is an infringement of the GDPR, but in view of the

lacking evidence of a systematic international transfer, as well as the scope and nature

thereof, the Litigation Chamber finds it is not in a position to sanction the defendant for a

violation of articles 44 to 49 GDPR. Notwithstanding the previous, the Litigation Chamber

also finds that these international transfers of personal data, where applicable, must be

assessed primarily by the publishers and CMPs implementing the TCF. The Litigation

Chamber findsthatthepublishersareresponsibleandaccountablefortaking thenecessary

measures to prevent personal data collected through their website and/or application from

being transferred outside the EEA without adequate international transfer mechanisms.

491. This being said, the Litigation Chamber also finds that the defendant should facilitate the

due diligence incumbent on the publishers and CMPs, e.g. by requiring adtech vendors to

indicateclearly whether theyare located outside the EEAor whether theyintend to transfer

personal data outside the EEA through their data processors. Furthermore, the Litigation

Chamber notes that, contrary to its obligation under the principles of accountability and of

data protection by design and by default, IAB Europe did not foresee any mechanism to

ensure that participating publishers and CMPs have put in place adequate mechanisms for

potential international transfers of the TC String, as foreseen under Articles to 44 to 49

GDPR, both at the time of its creation and when transmitting the TC String to participating

adtech vendors. The preamble of the TCF Policies merely indicates that the TCF “is not

104, intended nor has it been designed to facilitate […] more strictly regulated processing

activities, such as transferring personal data outside of the EU”. The Litigation Chamber

finds that this does not meet the requirements of Articles 24 and 25 GDPR.

492. The Litigation Chamber notes, for the record, that it is uncertain whether, in view of its

current architecture and support of the OpenRTB protocol, the TCF can be reconciled with

the GDPR.

493. In this sense, IAB Europe’s accountability starts from the moment the organisation designs

and makes available a system for the management of consent or objections of users, but

fails to take the necessary measures to ensure the conformity, integrity and validity of that

consent or objection.

494. The Litigation Chamber therefore finds that, as part of its security and integrity obligations,

IAB Europe must take not only organisational but also technically effective measures to

ensure and demonstrate the integrity of the preferential signal transmitted by CMPs to

adtech vendors.

B.4.4. - Additional alleged breaches of the GDPR

a. Purpose limitation and data minimisation (Art. 5.1.b and 5.1.c GDPR)

495. Although in this decision the Litigation Chamber has already concluded that the processing

operations carried out on the basis of the OpenRTB protocol are not in accordance with the

basic principles of purpose limitation and data minimisation 227(as no safeguards are

provided to ensure that thepersonal datacollected and disseminated within the framework

of the OpenRTB are limited to information that is strictly necessary for the intended

purposes), the Litigation Chamber emphasises that the complainants have explicitly

indicated in their submissions that the scope of their allegations is limited to the processing

operations within the TCF. The Inspection Service also clarified in its report that IAB Europe

does not act as adata controller for theprocessing operations that takeplace entirely inthe

context of the OpenRTB protocol.

496. Taking these clarifications into account, the Litigation Chamber concludes that, given the

limited amount of data about a user that is stored in a TC String before being saved by

means of a euconsent-v2 cookie, there is no violation of the principles of purpose limitation

and data minimisation in the context of the TCF.

22See para. 495-496 of this decision

105, 497. Although larger quantities of personal data will be processed at a later stage, including

special categories of personal data, this is not the case with the TCF. Within the TCF,

therefore, there is no violation of the principles of purpose limitation and data minimisation.

b. Storage limitation (Art. 5.1.e GDPR)

498. With regard to the principle of storage limitation and based on the Inspection Service’s

report, theLitigationChamber finds thereis insufficient evidencethattheTC String and the

associated storage of users' personal data are stored for an unauthorised period of time, in

violation of Article 5.1.e GDPR.

499. Therefore, the Litigation Chamber concludes that no violation of article 5.1.e GDPR could

be established.

c. Integrity and confidentiality (Art. 5.1.f GDPR)

500. As already explained above 22, the Litigation Chamber finds that the current version of the

TCF offers insufficient safeguards to prevent the values included in a TC String from being

modified in an unauthorised manner, with the result that the personal data of a data subject

bundledinabidrequest maybeprocessedforthewrongpurposes,inbreachoftheintegrity

principle, and/or may end up with the wrong adtech vendors or the ones rejected by the

user, in breach of the confidentiality principle. The Litigation Chamber therefore rules that

the current version of the TCF violates Article 5.1.f of the GDPR.

d. Processing of special categories of personal data (Art. 9 GDPR)

501. Although a number of complaints are directed against the RTB system, including the

Authorized Buyers protocol developed by Google as well as the OpenRTB protocol

developed by IAB Tech Lab, the InspectionService determined inits report, as apreliminary

matter, that the Belgian Data Protection Authority did not have jurisdiction for the former

and that IAB Tech Lab does not act as a data controller for the latter 229.

502. The Litigation Chamber notes that the Inspection Service reports the lack of appropriate

rules for the processing of special categories of personal data under the TCF. However, this

observation is not supported by any technical analysis showing that special categories of

personal data are actually processed withintheTCF. On thecontrary, the technical analyses

by the Inspection Service show that the TC String in itself does not contain any information

that can be linked to the taxonomy of the websites visited, where, for example, special

categories of personal data may be involved.

228
See para. 477 et seq. of this decision.
229Investigation report of the Inspection Service, pp. 8-11.

106, 503. Therefore, the LitigationChamber rules that this allegationis unfounded and that no breach

of Article 9 of the GDPR by the defendant can be established.

e. Exercise of data subject rights (Art. 15 – 22 GDPR)

504. First of all, the Inspection Service notes in its report that certain complainants have argued

the impossibility for the data subjects to enforce their rights, although the investigation

carried out by the Inspection Service did not confirm these allegations. In view of the lack

of evidence of any infringement, the Litigation Chamber limits its reasoning to general

observations relating to the exercise of data subject rights.

505. Secondly, the Litigation Chamber refers to the scope of the written submissions by the

complainants, in which they specifically restricted their grieves to the processing of the

plaintiffs’ personal data by the defendant in the particular context of the TCF 230. As a result,

the Litigation Chamber will not assess the circumstances in which data subjects may

exercise their rights regarding the processing of personal data contained in the bid

requests, with respect to the adtech vendors, seeing as this processing occurs entirely

under the OpenRTB protocol.

506. However, with regard to the current version of the TCF, the Litigation Chamber finds that

the TCF does not seem to facilitate the exercise of the data subjects’ rights insofar as the

CMP interface cannot be retrieved easily and at all times by the users, such as to allow them

to amend their preferences and retrieve the identity of the adtech vendors with whom their

personaldatahavebeensharedby meansofabidrequest,inaccordancewiththeOpenRTB

protocol. In this regard, the Litigation Chamber underlines the importance of a proper

implementationand enforcementoftheinterfacerequirements defined inthe TCF Policies,

such as to allow data subjects to effectively exercise their rights vis-à-vis each of the joint-

controllers, and notes that the shared responsibility to do so lies primarily with the CMPs

and publishers. In the light of the foregoing, the Litigation Chamber is, however, not in a

position to establish a violation of the Articles 15-22 GDPR.

f. Records of processing activities (Art. 30 GDPR)

507. The Inspection Service notes in its report that IAB Europe does not keep records of its

processing activities. The defendant takes the view, first of all, that it can rely on the

exception provided for in Article 30.5 of the GDPR and is therefore not subject to the

obligation to keep such records. However, in the course of the investigation, the defendant
231
added a summary of its processing activities to the documents in the file .

230
Submission of the complainantsdd. 18 February 2021, p. 2.
23IAB Europe's response to the investigation 10 February 2020 (Exhibit 57), p. 23.

107, 508. The Litigation Chamber first notes that the records submitted by the defendant do not

contain any activity relating to the TCF, with the exception of member management,

including administration of the TCF. Contrary to the defendant's assertion, in particular that

the records do not need to include the processing activities in the context of the TCF, the

Litigation Chamber is of the opinion that the records must at least include access to users'

consent signals, objections and preferences.

509. Indeed, in accordance with Article 8 of the TCF Policies (v1.1) 232 and Article 15 of the TCF

Policies (v2.0)33, the defendant reserves the right, as the Managing Organisation, to access

the"recordsofconsent".TheLitigationChamberalsoemphasisesthattheincidentalnature

of this access to users’ preferences has not been proven or raised by the defendant. The

stable relationship between IAB Europe as Managing Organisation and all organisations

participating in the TCF ecosystem should also be taken into account. In view of the large

number of participating organisations and the defendant's intention to monitor the

compliance of the various CMPs and other adtech vendors 234, more thoroughly in the

future, IAB Europe should also include this processing in its records of processing activities.

510. Therefore, the Litigation Chamber considers the non-incidental nature of the processing

and theinfringementofArticle 30.1 GDPR found by the InspectionService to besufficiently

proven.

g. Data protection impact assessment (Art. 35 GDPR)

511. The Litigation Chamber first notes that the defendant does not deny that the TCF can also

be used for RTB purposes.

512. The argumentation by the defendant that the TCF can be used for other, non-marketing-

related purposes and that the OpenRTB can also operate separately from the TCF is

therefore not relevant to the consideration of whether or not a data protection impact

assessment is required.

513. After all, the interrelationship between the TCF and the RTB implies that the preferences

users enter by using a CMP interface will necessarily have an impact on the way their

personal data are subsequently processed by adtech vendors within the RTB, as

determined by the OpenRTB specification.

23IAB Europe Transparency & Consent Framework Policies v2019-04-02.2c (Exhibit 38), p. 6.
233IAB Europe Transparency & Consent Framework Policies v2019-08-21.3 (Exhibit 32), p. 14.

234Cf. Hearing of 11 June 2021.

108, 514. The Litigation Chamber further refers to Decision No. 01/2019 of the General Secretariat of

235
the Belgian DPA , in which the General Secretariat has established a list of processing

operations for which a data protection impact assessment is mandatory.

515. ItisundisputedfortheLitigationChamberthattheTCFwasdeveloped,among otherthings,

for the RTB system, in which the online behaviour of users is observed, collected, recorded
236
or influenced in a systematic and automated manner, including for advertising purposes .

It is also not disputed that within the RTB, data is widely collected from third parties (Data

Management Platforms, or DMPs) in order to analyse or predict the economic situation,

health, personal preferences or interests, reliability or behaviour, location or movements of

natural persons 237.

516. Considering the large number of data subjects who come into contact with websites and

applications implementing the TCF, as well as the growing number of organisations

participating in the TCF, on the one hand, and the impact of the TCF on the large-scale

processing of personal data in the context of RTB, on the other, the Litigation Chamber

finds that, in accordance with Decision No. 01/2019, the Defendant is indeed subject to the

obligation to conduct a data protection impact assessment, pursuant to Article 35 of the

GDPR. Hence, Article 35 of the GDPR is violated.

h. Designation of a Data Protection Officer (art. 37 GDPR)

517. Article 37 GDPR provides for an obligation to designate a Data Protection Officer (DPO) in

cases where:

i. processing is carried out by a public authority or public body; or

ii. a controller or processor is primarily responsible for processing operations which,

by virtue of their nature, their scope and/or their purposes, require regular and

systematic monitoring of data subjects on a large scale; or

iii. the controller or processor is primarily responsible for the processing of large

volumes of special categories of personal data under Article 9 of the GDPR and of

personal data relating to criminal convictions and offences under Article 10 of the

GDPR.

235 Decision of the General Secretariat No. 01/2019 of 16 January 2019, available on the website of the GBA
https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-nr.-01-2019-van-16-januari-2019.pdf.
236Decision of the General Secretariat No. 01/2019 of 16 January 2019, para. 6.8).

237Decision of the General Secretariat No. 01/2019 of 16 January 2019, para. 6.3).

109, 518. The Litigation Chamber has already concluded that the defendant processes personal data

because IAB Europe, in its capacity as Managing Organisation, can have access to the TC

Strings and the records of consent 238.

519. The former Article 29 Working Party states that processing activities that are necessary to

achieve the purposes of the controller or processor can be considered as core activities

within the meaning of Article 37 GDPR. The Litigation Chamber finds that in view of the

importance of the TCF to the defendant, the stated purposes of the TCF, as well as the

associated processing of personal data in its capacity as Managing Organisation, the

processing under the TCF belongs to the core activities of IAB Europe.

520. With regard to the concept of 'large-scale processing operations', the Article 29 Working

Party clarifies that, inter alia, the following must be taken into account:

i. the number of data subjects - either as a specific number or as a proportion of the

relevant population;

ii. the amount of data and/or range of the different data items processed;

iii. the duration or permanence of data processing;

iv. the geographical extent of the processing activity.

In the present case , the Litigation Chamber finds that the TCF is offered in various Member

States; that the TCF intrinsically requires that the personal data of users be processed in

the form of a TC String for as long as this is necessary to be able to demonstrate that

consent was obtained in accordance with the TCF Policies; and that the personal data

processed is furthermore shared with numerous adtech vendors. From this, the Litigation

Chamber concludes that the TCF involves the large-scale processing of personal data.

521. With regard to the criterion of regular and systematic observation the WP29 interprets the

term "regular" in one or more of the following ways:

i. something that occurs continuously or at specific times during a certain period of

time

ii. something that occurs in a recurring manner, or repetitively at fixed times; or

iii. something that occurs constantly or periodically

The Litigation Chamber finds that the contractual obligation for Vendors and CMPs to

submit records of consent to the defendant, in its capacity as Managing Organisation, upon

simple request by IAB Europe falls within (i). Thus, there is regular observation of data

relating to identifiable users.

522. The term "systematic" should be understood in one or more of the following ways:

238See para. 358 and 468 of this decision.

110, i. Something that occurs according to a system

ii. Prearranged, organised or methodical

iii. Something that occurs in the context of a general data collection programme

iv. Something carried out as part of a strategy

523. Once again, the Litigation Chamber finds that the processing of the TC Strings or records

of consent by the defendant in the current version of the TCF meets at least the first three

criteria. Therefore, the Litigation Chamber rules that the TCF must be regarded as a regular

and systematic observation of identifiable users.

524. From the foregoing elements, the Litigation Chamber concludes that IAB Europe should

have appointed a DPO, in accordance with Article 37 GDPR. Hence, Article 37 of the GDPR

is violated.

C. Sanctions

525. As a preliminary matter, and as developed below, the Litigation Chamber notes that the

present decision on the TCF does not directly address deficiencies of the wider OpenRTB

framework. However, the Litigation Chamber does draw attention to the great risks to the

fundamental rights and freedoms of the data subjects posed by OpenRTB, in particular in

view of the large scale of personal data involved, the profiling activities, the prediction of

behaviour, and the ensuing surveillance (see A.3.1. - Definitions and operation of the Real-

Time Bidding system). Insofar as the TCF is the tool on which OpenRTB relies to justify its

compliance with the GDPR, the TC String plays a pivotal role in the current architecture of

the OpenRTB system.

526. Under Article 100 of the DPA Act, the Litigation Chamber has the power to:

1° classify the complaint without taking action;

2° order the dismissal of the case;

3° pronounce a suspension of the pronouncement;

4° propose a transaction;

5° formulate warnings or recommendations;

6° order to comply with the requests of the person concerned to exercise these

rights;

7° order that the interested party be informed of the security problem;

8° order the freezing, restriction or temporary or permanent prohibition of

processing;

9° order the compliance of the treatment;

10° order the rectification, restriction or erasure of data and the notification to

recipients of the personal data;

111, 11° order the withdrawal of the certification bodies' accreditation;

12° impose fines;

13° impose administrative fines;

14° order the suspension of data flows to another State or international body;

15° forward the file to the Brussels Public Prosecutor's Office, which informs it of

the action relating to the file;

16° decide, case by case, to publish its decisions on the internet site of the Data

Protection Authority.

527. As for the administrative fine that may be imposed pursuant to Article 83 of the GDPR and

Articles 100, 13° and 101 DPA Act, Article 83 of the GDPR provides:

« 1. Each supervisory authority shall ensure that the imposition of administrative fines

pursuant to this Article in respect of infringements of this Regulation referred to in
paragraphs4,5and6shallineach individualcasebeeffective,proportionateanddissuasive.

Administrative fines shall, depending on the circumstances of each individual case, be
imposed in addition to, or instead of, measures referred to in points (a) to (h) and (j) of Article

58(2). When deciding whether to impose an administrative fine and deciding on the amount
of the administrative fine in each individual case due regard shall be given to the following:

a) the nature, gravity and duration of the infringement taking into account the nature
scope or purpose of the processing concerned as well as the number of data

subjects affected and the level of damage suffered by them;

b) the fact that the violation hasbeen committed deliberately or through negligence;

c) any action taken by the controller or processor to mitigate the damage suffered by
data subjects;

d) the degree of responsibility of the controller or processor taking into account
technical and organisational measures implemented by them pursuant to Articles

25 and 32;

e) any relevant previous infringements by the controller or processor;

f) the degree of cooperation with the supervisory authority, in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;

g) the categories of personal data affected by the infringement;

h) the manner in which the infringement became known to the supervisory authority,

in particular whether, and if so to what extent, the controller or processor notified
the infringement;

i) where measures referred to in Article 58(2) have previously been ordered against
the controller or processor concerned with regard to the same subject-matter,

compliance with those measures;

j) adherence to approved codes of conduct pursuant to Article 40 or approved

certification mechanisms pursuant to Article 42; and

112, k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits gained, or losses avoided, directly or indirectly, from

the infringement. ».

239
528. Recital 150 GDPR further distinguishes between whether the offender is an undertaking

or not. In the first hypothesis, the criterion (fixed amount or percentage) for reaching the

highestfineshould be applied.Where, ontheother hand, theoffender is not an undertaking,

account should be taken of the economic situation of the offender and the general level of

incomes in the Member State concerned. This is to prevent the imposition of fines that

could be disproportionately high.

529. It is important to contextualise the shortcomings of the defendant in order to identify the

most appropriate corrective measures. In this context, the Litigation Chamber will take into

account all the circumstances of the case, including — within the limits it specifies below —

the reaction submitted by the defendant to the envisaged sanctions communicated by

means ofthe sanction form 240.In this regard, the LitigationChamber specifies that theform

it sent expressly mentions that it does not involve the reopening of debates. Its sole

purpose is to collect the defendant's reaction to the planned sanctions.

530. While measures such as a compliance order or a ban on further processing can put an end

to an identified infringement, administrative fines, as set out in Recital 148 of the GDPR, are

imposed in case of serious infringements, in addition to or instead of the appropriate

measures that are required to remedy the infringement.

531. The Litigation Chamber would also like to point out that it is its sovereign responsibility as

an independent administrative authority — in compliance with the relevant articles of the

GDPR and the DPA Act — to determine the appropriate corrective measure(s) and

sanction(s). This follows from Article 83 GDPR itself, but also the Market Court has

emphasised the existence of a wide margin of manoeuvre in its case law, inter alia in its

241
judgment of 7 July 2021 .

532. The Litigation Chamber notes that the complainants are making various requests for

sanctionsagainstthedefendant.However,itisnotforthecomplainantstoasktheLitigation

Chamber to order any particular corrective measure or sanction, nor is it up to the Litigation

Chamber to give reasons for not accepting any of the requests made by the

239Recital 150 of the GDPR: '[...] Where administrative fines are imposed on an undertaking, an undertaking should be

understood to be an undertaking in accordance with Articles 101 and 102 TFEU for those purposes. Where administrative
finesareimposedonpersonsthatarenotanundertaking,thesupervisoryauthorityshouldtakeaccountofthegenerallevel
ofincomeintheMemberStateaswellastheeconomicsituationofthepersoninconsideringtheappropriateamountofthe
fine.[…]”.
240See para. 534 as well as para. 272 et seq. of this decision.
241
Court of Appeal of Brussels, Market Court Section, 19th ChamberA, Market Cases Section, 2021/AR/320, pp. 37-47.

113, complainants 242. These considerations nevertheless leave intact the obligation for the

Litigation Chamber to give reasons for the choice of measures and sanctions which it

deems appropriate (from the list of measures and sanctions made available to it by Article

58 of the GDPR and Article 100 of the DPA Act) to sentence the defendant.

533. In the present case, the Litigation Chamber notes that the complainants request the

Litigation Chamber to take the following measures and sanctions. These proposals are

included for information:

"1) In application of Article 100, §1, 8° DPA Act (relating to IAB Europe) to:

a. prohibit the TC String to be processed in the TCF;

b. prohibit all personal data associated with the processing of the TC String, such as IP
addresses, websites visited and apps used, from being processed in the TCF;

c. order the permanent removal from its website and its other public communication

channelsofalldocuments,filesandrecordsthatinanywayinciteorobligeanythirdparty

to carry out such processing;

2)InapplicationofArticle100,§1,10°DPA,orderIABEuropetopermanentlydeleteallTCStrings

and other personal data already processed in the TCF from all its IT systems, files and data

carriers,andfromtheITsystems,filesanddatacarriersofprocessorscontractedbyIABEurope;

3) In application of Article 100, §1, 10° DPA Act order IAB Europe to inform all recipients of the

personal data processed in the TCF of the order imposed by the Litigation Chamber:

a. prohibition to process the TC String in the TCF;

b. prohibit all personal data associated with the processing of the TC String, such as IP

addresses, websites visited and apps used, from being processed in the TCF;

c. order to permanently delete all TC Strings and other personal data already processed in
the TCF from all IT systems, files and data carriers;

andthisbothclearlyvisibleandreadableinaboldboxatthetopofthehomepageofIABEurope's

website www.iabeurope.eu in the usual font and size until 6 months after a judgment of the

Market Court becomesfinal, ifapplicable pursuant to Section 108ofthe DPA Act, or by email, in

both cases with a hyperlink to the English-language version of the decision of the Litigation

Chamber on the website of the GBA;

4) In application ofArticle 100, §1, 12° DPA Act on behalfofIABEurope order the forfeitureofa

penalty payment of EUR 25,000 per started calendar day of delay in the execution of any

measure imposed in the interlocutory decision of the Litigation Chamber as from the expiration

of seven calendar days after the interlocutory decision of the Litigation Chamber.”

242See Court of Appeal of Brussels, Market Court Section, 19th Chamber A, Market Cases Section, 1 December 2021,
2021/AR/1044, p. 25.

114, 534. A sanction form has been sent to the defendant on 11 October 2021. IAB Europe submitted
243
its response on 1 November 2021 . This response has been taken into consideration in the

following paragraphs.

C.1. - Breaches

535. The Litigation Chamber found the defendant in breach of the following articles:

▪ Articles 5.1.a and 6 GDPR — The current TCF does not provide a legal basis for the

processing of user preferences in the form of a TC String. Moreover, the Litigation

Chamber notes that the TCF offers two bases for the processing of personal data by

participating adtechvendors, but finds that noneofthemcanbeused.First, the consent

ofthedatasubjects iscurrently notgiveninasufficientlyspecific,informedandgranular

manner. Second, the legitimate interest of the organisations participating in the TCF is

outweighed by the interests of the data subjects, in view of the large-scale processing

of the users’ preferences (collected under the TCF) in the context of the OpenRTB

protocoland theimpactthiscanhaveonthem.Since noneofthegrounds forlawfulness
244
set out in Article 6 of the GDPR apply to this processing, as explained above , the

defendant is in breach of Articles 5.1.a and 6 GDPR.

Taking noteofthe factthatthedefendantitselfdoes no longer havefactual or technical

control over the TC Strings once these have been generated by the CMPs and stored

on the users’ devices 245, the Litigation Chamber finds that it cannot impose the a

posteriori removal of all TC Strings generated until now on the defendant. More

specifically, it is the responsibility of the CMPs and the publishers who implement the

TCF 24, to taketheappropriatemeasures, inlinewith Articles 24 and 25 GDPR, ensuring

that personal data that has been collected in breach of Articles 5 and 6 GDPR is no

longer processed and removed accordingly. Insofar as IAB Europe is still storing

TC Strings deriving from the no longer supported globally scoped consent cookies, the

Litigation Chamber equally finds that the necessary measures must be taken by the

defendant to warrant permanent erasure of these no longer necessary personal data.

▪ Articles 12, 13, and 14 GDPR — As developed above (see B.4.2. - Duty of transparency

towards data subjects (Art. 12, 13 and 14 GDPR)), the way in which the information is

provided to the data subjects does not meet the requirement of a 'transparent,

comprehensible and easily accessible manner’. Users of a website or an application

243See title A.10.- Sanction form, European cooperation procedure,supra.
244
See title B.4.1 - Lawfulness and fairness of processing (Art. 5.1.a and 6 GDPR).
245In accordance with the mandatory policies and technical specifications established and imposed on TCF participants by
IAB Europe.
246
Furthermore, the Litigation Chamber underlines the fact that none of the CMPs and adtech vendors haven taken part in
the present proceedings.

115, participating in the TCF are not given sufficient information about the categories of

personal data collected about them, nor are they able to determine in advance the

scope and consequences of the processing. The information given to users is too

general to reflect the specific processing of each vendor, which also prevents the

granularity — and therefore the validity — of the consent received for the processing

carried out using the OpenRTB protocol. Data subjects are unable to determine the

scope and consequences of the processing in advance, and therefore do not have

sufficient control over the processing of their data to avoid being surprised later by

further processing of their personal data.

247
▪ Articles24,25,5.1.fand 32GDPR —Asexplained above ,onthebasisofArticles5.1.f

and 32 GDPR, the controller is obliged to ensure the security of the processing and the

integrity of the personal data processed. The Litigation Chamber recalls that the

combined reading of Articles 5.1.f and 32, as well as 5.2 and 24 GDPR (subjecting the

controller to the principle of accountability) requires the controller to demonstrate its

compliance with Article 32, by taking appropriate technical and organisational

measures, in a transparent and traceable manner. Under the current TCF system,

adtech vendors receive a consent signal without any technical or organisational

measure to ensure that this consent signal is valid or that a vendor has actually received

it (rather than generated it). In the absence of systematic and automated monitoring

systems of the participating CMPs and adtech vendors by the defendant, the integrity

oftheTC String is notsufficiently ensured, sinceit is possiblefor the CMPs to falsify the

signal in order to generate an euconsent-v2 cookie and thus reproduce a "false

consent"oftheusersforallpurposesandforalltypesofpartners.Asindicatedabove 24,

this hypothesis is also specifically foreseen in the terms and conditions of the TCF. The

Litigation Chamber therefore finds that IAB Europe, in its capacity of Managing

Organisation, has designed and provides a consent management system, but does not

take the necessary steps to ensure the validity, integrity and compliance of users'

preferences and consent.

The Litigation Chamber also finds that the current version of the TCF does not facilitate

the exercise of the data subject rights, especially taking into consideration the joint-

controllership relation between the publisher, the implemented CMP and the

defendant. The Litigation Chamber also underlines that the GDPR requires that data

subjects rights can be exercised vis-à-vis each of the joint-controllers in the TCF such

as to comply with Articles 24 and 25 GDPR.

247
See title B.4.3. - Accountability (art. 24 GDPR), data protection by design and by default (Art. 25 GDPR), integrity and
confidentiality (Art. 5.1.f GDPR), as well as security of processing (Art. 32GDPR)
248See para. 485 of this decision.

116, In light of the above, the Litigation Chamber finds that the defendant is in breach of its

obligations of security of processing, integrity of personal data, and data protection by

design and data protection by default (Articles 24, 25, 5.1.f and 32 GDPR).

▪ Article 30 GDPR — As developed above 249, the Litigation Chamber cannot follow the

defendant's argument that it can benefit from the exceptions to the obligation to

maintain records of processing activities, provided for in Article 30.5 GDPR. As the

records of processing activities of the defendant do not contain any processing

operations relating to the TCF, except for the management of members and the

administration of the TCF, although IAB Europe as Managing Organisation can access

therecords ofconsent, theLitigationChamber finds abreach of Article 30 GDPR by the

defendant.

▪ Article 35 GDPR — In view of the large number of data subjects that come into contact

with websites and applications implementing the TCF, as well as organisations

participating in the TCF, on the one hand, and the impact of the TCF on the large-scale

processing of personal data in the OpenRTB system, on the other hand, the Litigation

Chamber finds that IAB Europe has failed to carry out a comprehensive data protection

impact assessment (DPIA) with regard to the processing of personal data within the

TCF, and thus violated Article 35 GDPR. The Litigation Chamber finds that the TCF was

developed, among other things, for the RTB system, in which the online behaviour of

users is observed, collected, recorded or influenced in a systematic and automated

manner, including for advertising purposes. It is also not disputed that within the

OpenRTB, data are widely collected from third parties (DMPs) in order to analyse or

predict the economic situation, health, personal preferences or interests, reliability or

behaviour, location or movements of natural persons.

▪ Article 37 GDPR — Because of the large-scale, regular and systematic observation of

identifiable users that the TCF implies, and in view of the defendant's role, more

specifically of its capacity as Managing Organisation, the Litigation Chamber rules that

IAB Europe should have appointed a Data Protection Officer (DPO). By failing to do so,

the defendant infringes Article 37 GDPR.

249See para. 507 et seq. of this decision.

117,C.2. - Sanctions

536. Therefore, the Litigation Chamber orders the defendant:

I. To render the TCF compliant with the obligation of lawfulness, fairness and

transparency (Articles 5.1.a and 6 GDPR), by establishing a legal basis for the

processing as well as the sharing of user preferences in the context of the TCF, in

the form of a TC String and euconsent-v2 cookie placed on the users' devices for

this purpose. These obligations also imply that any personal data collected so far by

means of a TC String in the context of the globally scoped consents, which is no

longer supported by IAB Europe, shall be deleted without undue delay by the

defendant. In addition, the Litigation Chamber orders the defendant to prohibit the

use of legitimate interest as a legal ground for processing by the organisations

participating in TCF in its current format, via its terms of use.

II. To render the TCF compliant with the transparency and information obligation

(Articles 12, 13, and 14 of the GDPR), by requiring TCF-registered CMPs to take a

harmonised and GDPR-compliant approach regarding the information to be

provided to users through their interface. The information, which covers the

categories of data collected, the purposes for which they are collected, and the

applicable legal grounds for processing, must be precise, concise and

understandable in order to avoid users being surprised by subsequent processing

of their personal data by parties other than the publishers or IAB Europe.

III. To ensure compliance of the TCF with the obligations of integrity and security, as

well as data protection by design and by default (under Articles 5.1.f and 32 GDPR,

and 25 GDPR). In this respect, the Litigation Chamber orders to include effective

technical and organisational monitoring measures to facilitate the exercise of data

subject rights and to guarantee the integrity of the TC String in view of the

possibility, in the current state of the system, of falsification of the signal. An

example of measures to be put in place under Article 32 of the GDPR is a strict

vetting process for organisations participating to the TCF. The Litigation Chamber

reminds the defendant as well as the other joint-controllers of their obligation to

makethe necessary arrangements such as to ensure, amongst other requirements,

that data subjects may effectively exercise their rights. Lastly, in the context of

Article 25 of the GDPR, the defendant must prohibit, via its terms of use, the

organisations participating in the current version of TCF from activating a default

consent, as well as from basing the lawfulness of the intended processing activities

on the legitimate interest.

IV. To ensure the compliance of the records of processing activities carried out in the

framework of the TCF in its current format, and in particular relating to the

118, processing of users' preferences and consent in the form of a TC String and the

placement of a cookie euconsent-v2 on their devices.

V. To carry out a data protection impact assessment, covering both the processing

activities under the TCF and the impact of these activities on subsequent

processing under the OpenRTB.

VI. To designate a Data Protection Officer (DPO), responsible, inter alia, for ensuring

the compliance of personal data processing activities in the context of the TCF, in

accordance with Articles 37 to 39 of the GDPR.

537. These compliance measures should be completed within a maximum period of six months

following the validation of an action plan by the Belgian Data Protection Authority, which

shall be submitted to the Litigation Chamber within two months after this decision. On the

ground of Article 100 § 1 , 12° of the DPA Act, a penalty payment of 5.000 EUR per day will

be due in case of failure to comply within the above-mentioned time limits.

538. In addition to this compliance order, the Litigation Chamber is of the opinion that an

administrative fine is justified in this case for the following reasons, which are analysed on

the basis of article 83.2 GDPR.

539. The principles of lawfulness, fairness, transparency and security are part of the essence of

the GDPR and infringements of these rights are punishable by the highest fines, according

to Article 83.5 GDPR. In this respect, the failure to respect the basic principles of data

protection should be penalised by proportionately high fines, depending on the

circumstances of the case. In this regard, reference can be made to the Guidelines on the

Application and Setting of Administrative Fines, according to which:

« Fines are an important tool that supervisory authorities should use in appropriate

circumstances. The supervisory authorities are encouraged to use a considered and

balanced approach in their use of corrective measures, in order to achieve both an

effective and dissuasive as well as a proportionate reaction to the breach. The point is

tonotqualifythefinesaslastresort,nortoshyawayfromissuingfines,butontheotherhand

not to use them in such a way which would devalue their effectiveness as a tool. »

540. In its subparagraph (a), article 83.2. refers to « the nature, gravity and duration of the

infringement taking into account the nature scope or purpose of the processing concerned

as well as the number of data subjects affected and the level of damage suffered by them ».

541. With regard to the nature and gravity of the infringements, the Litigation Chamber notes

that the principles of lawfulness (Articles 5.1.a and 6 GDPR), transparency (Articles 12 to 14

250Article 29 Working Party – Guidelines on the application and setting of administrative fines for the purposes of the
Regulation 2016/679 (WP 253),p. 7.

119, GDPR) as well as security (Articles 5.1.f and 32 GDPR) are fundamental principles of the

protection regime set up by the GDPR. The principle of accountability set out in Article 5.2.

of the GDPR and developed in Article 24 is also at the heart of the GDPR and reflects the

paradigm shift brought about by the GDPR, i.e. a shift from a regime based on prior

declarations and authorisations by the supervisory authority to greater accountability and

responsibility of the controller. Respect of its obligations by the latter and its ability to

demonstrate this are therefore only more important.

542. A valid legal basis and transparent information are core elements of the fundamental right

to data protection. As far as transparency is concerned, this principle is the 'gateway' that

strengthens the control of data subjects over their personal data and enables the exercise

of other rights granted to the data subjects by the GDPR, such as the right to object and the

right of erasure. Breaches of these principles constitute serious infringements, which may

be subject to the highest administrative fines foreseen under the GDPR.

543. The breach of Article 25, on the obligation of data protection by design and by default, as

well as of Article 30 on keeping records of processing activities are also significant

infringements, particularly in view of the scale of the processing operations and the impact

on the privacy of the complainants as well as the other users confronted with websites or

applications that have implemented the TCF.

544. As regards the nature and purpose of the processing, and more specifically on the nature of

the data, the Litigation Chamber notes that the TC String, as an expression of users'

preferences on the processing purposes and the potential adtech vendors being provided

through the CMP interface, constitutes the cornerstone of the TCF. Although the scope of

this decision is the TCF and its TC String, and the sanction imposed on the defendant

pertains solely to that framework, the compliance of the OpenRTB with the GDPR is

assessed as part of a holistic analysis of the TCF and its interaction with the former. Insofar

as the current version of the TCF is the tool on which OpenRTB relies to justify its

compliance with the GDPR, and because the defendant facilitates membership and use of

the OpenRTB to a significant number of participating organisations, the Litigation Chamber

finds that IAB Europe plays a pivotal role as regards the OpenRTB, without being a data

controller in that context.

545. As regards the scope of the contested processing and the number of data subjects

affected, the Litigation Chamber notes that the TCF (in its current format), as developed by

the defendant (representing large players in the online behavioural advertising sector 25),

offers a unique service on the market. The TCF’s scope is therefore essential, given the

growing number of partners that signed up to it. Regarding the level of damage incurred by

25See para. 36 of this decision.

120, concerned data subjects, the Litigation Chamber underlines once more that the TC String

plays a pivotal role in the current architecture of the OpenRTB system. Thereby, the

TC String supports a system posing great risks to the fundamental rights and freedoms of

the data subjects, in particular in view of the large scale of personal data involved, the

profiling activities, the prediction of behaviour, and the ensuing surveillance of data

subjects.

546. With respect to the duration of the infringement, the Litigation Chamber takes note that

theTCF is offered by thedefendantsince25April 2018as amechanism for obtaining users'

consent with respect to predetermined processing purposes, and for the transfer of their

personal data to TCF-participants, including adtech vendors. Notwithstanding the various

iterations of the framework, which has been upgraded to the second version of the TCF on

21 August 2019, and taking into account the systemic deficiencies of the TCF under the

GDPR, the LitigationChamber finds thatthebreaches haveexisted atleastsinceMay 2018,

withregard to thevalidity ofthecollected consentand theplacementof aTC String without

a valid legal ground, and since August 2019 for the reliance on legitimate interest as a legal

ground to process the data subjects’ personal data.

547. Article 83.2.b GDPR requires the DPA to take into account the intentional or negligent

character of the infringement. Observing that the defendant, in its role as Managing

Organisation, was aware 252of risks linked to non-compliance with the TCF, in particular

relating to the integrity of the TC String and the encapsulated choices and preferences of

the users, and in light of the impact of the TC String on the subsequent processing

operationsundertheOpenRTB,theLitigationChamber findsthatIAB Europe wasnegligent

in establishing the measures governing the implementation of the current version of the

TCF.

548. In its subparagraph (c), article 83.2 GDPR refers to potential actions taken by the controller

to mitigate the damage suffered by data subjects. The Litigation Chamber notes the

absence of concrete measures taken or introduced by the defendant in order to mitigate

the damage suffered by the data subjects (i.e. the processing of their personal data

regardless of their choices, or in the absence of a valid legal ground).

549. Article 83.2.d of the GDPR concerns the degree of responsibility of the controller or

processor, taking into account technical and organisational measures implemented by

them pursuant to Articles 25 and 32.

550. Even if the Litigation Chamber does not take into account in the present decision the

developments that occurred after the closure of the proceedings in June 2021, the

25See para. 485 of this decision.

121, Litigation Chamber takes note that the defendant already announced during the hearing 253

its intention to introduce a "TCF Vendor Compliance Programme" in September 2021,

through which audits of organisations participating in the TCF (listed on the Global Vendors

List) will be established.

551. The Litigation Chamber encourages all measures aimed at ensuring compliance with the

GDPR. Nevertheless, as explained in para. 487-488, in view of the defendant's lack of

systematic monitoring of compliance with the TCF rules by the participating organisations

at the time of the complaints, and taking into account the significant impact of such

violations (e.g. in case of falsification or modification of the TC String), the Litigation

Chamber considers that the announcement of this initiative to increase its compliance with

one of its obligations as a data controller for the TCF and consisting of audits of adtech

vendors on the Global Vendors List demonstrates that the TCF was not compliant with the

defendant’s safetyobligations,includingtheobligationtomitigatedamagesufferedbydata

subjects. No other actions were communicated by the defendant to the Litigation Chamber

in this respect.

552. Furthermore, the Litigation Chamber is no longer in a position to review the nature of this

programme and, in any event, this new programme does not change the nature of the

breaches of the GDPR that occurred until the closure of the debates in June 2021.

553. In light of article 83.2.e of the GDPR, the Litigation Chamber notes the absence, at the time

of the present decision, of any final decision by other competent supervisory authorities,

regarding previous relevant infringements by the defendant in relation to the TCF.

554. Article 83.2.f of the GDPR concerns the degree of cooperation with the supervisory

authority, in order to remedy the infringement and mitigate the possible adverse effects of

the infringement. In this regard, the Litigation Chamber disagrees with the Inspection

Service’s finding that the defendant did not cooperate sufficiently with the former, apart

from the provision and submission of records of processing activities conducted by IAB

Europe.

555. Insofar as the categories of personal data affected by the infringement are concerned

(Article 83.2.g of the GDPR), the Litigation Chamber acknowledges that the personal data

contained in and processed by means of the TC String are in adequacy with the principle of

data minimisation, having regard to their nature. Notwithstanding the previous, the

Litigation Chamber reiterates its position that the TCF plays a pivotal role in supporting the

processing operations based on the OpenRTB protocol. Hence, the Litigation Chamber

concludes that it cannot exclude that both special and regular categories of personal data

253 And confirmed by the defendant through a public announcement on its website, on 26 August 2021:
https://iabeurope.eu/blog/iab-europe-launches-new-tcf-vendor-compliance-programme/

122, —processed by means of abid request to which the TC String is attached— may beaffected

by the infringements that occurred under the TCF.

556. With regard to article 83.2.h of the GDPR, the Litigation Chamber notes that this criterion is

not relevant to the present case.

557. Article 83.2.i of the GDPR is not applicable in the absence of any previous final decision in

this regard, taken against the defendant.

558. Article 83.2.j of the GDPR concerns the adherence to approved codes of conduct or

approved certification mechanisms. In this context, the Litigation Chamber notes that

IAB Europe has previously been in contact with the Belgian Data Protection Authority

concerning the drafting and adoption of a Code of Conduct (at the point of time when the

proceedings were already pending). The Litigation Chamber also underlines the absence of

follow-up by the defendant in this regard since June 2020, without any further explanation

by the defendant.

559. Lastly, article 83.2.k of the GDPR refers to any other aggravating or mitigating factor

applicable to the circumstances of the case, such as financial benefits gained, or losses

avoided, directly or indirectly, from the infringement. The Litigation Chamber did not retain

specific factors that would change the amount of the fine.

560. Indeterminingtheamountoftheadministrativefine,article83.3to 83.7GDPR usetheterm

“undertaking”, which, based on Recital 150 of the GDPR and as confirmed by the WP29 and

the EDPB 254, should be understood in accordance with articles 101 and 102 TFEU. Based on

CJEU case law, the term undertaking in Articles 101 and 102 TFEU refers to a single

economicunit(SEU),evenifthiseconomicunitislegallyformed fromseveralnaturalorlegal

persons 255.

561. Toassesswhetherseveral entities formaSEU,theabilityoftheindividual entitytotakefree

decisions should be taken into account. It should also be considered whether a leading

entity (the parent company), exercises decisive influence over the other entity or not

(examples of criteria are the amount of the participation, personnel or organizational ties,

instructions and the existence of company contracts).

562. TheLitigationChamber could notfind anyindication ofdecisiveinfluencefromIAB Inc.over

the defendant IAB Europe, or limitation of freedom of its decision with respect to IAB Inc.

254Article-29-Working Party – Guidelines on the application and setting of administrative fines for the purposes of the
Regulation 2016/679 (WP 253) and confirmed by the EDPB in Endorsement 1/2018 on 25 May 2018; as well as EDPB
Binding Decision 1/2021, para. 292.
255
CJUE Judgment of 23 April 1991. Klaus Höfner and Fritz Elser v Macrotron GmbH, C-41/90, ECLI:EU:C:1991:161,
paragraph 21, and CJUE Judgment of 14 December 2006, Confederación Española de Empresarios de Estaciones de
Servicio, C-217/05, ECLI:EU:C:2006:784, para. 40

123, 563. This was also developed by the defendant in its response to the sanction form, wherein IAB

Europe claims that IAB Inc. has no ownership stake in the defendant nor any say in the

deployment of IAB Europe’s activities. The defendant indicated that IAB Inc.

(headquartered in the USA) licenses the “IAB” brand to other organizations, and remains an

entirely separate and independent entity from IAB Europe.

564. TheLitigationChamberthereforedecidestobaseitsdecisiononthesolefinancialrevenues

of IAB Europe as reference for calculating the administrative fine, instead of the annual

turnover of IAB Inc.

565. In this regard, the Litigation Chamber takes note that the annual gross benefits of the

defendant amounted to EUR 2.471.467 in 2020 256. As a subsidiary point, the Litigation

Chamber also observes that participating organisations are required to pay an annual fee of
257
1.200 EUR to the defendant upon their registration to the TCF . Having regard to the total

number of registered TCF adtech vendors, which has significantly increased from 420 on

25 May 2020 to 744 on 7 June 2021, the Litigation Chamber thus finds that a large part of

the income of IAB Europe is generated through the licensing of the TCF. More specifically,

IAB Europe would make a gross profit of at least 981.600 EUR for 2021 with the TCF

258
participants’ annual fee — including both the adtech vendors and the CMPs — alone.

566. Under Article 83.4, infringements of articles 25, 30, 32, 35 and 37 GDPR may amount to up

to 10.000.000 EUR or, in the case of an undertaking, up to 2% of the total annual worldwide

turnover of the preceding business year.

567. Under 83.5 GDPR, infringements of articles 5.1.a, 5.1.f, 6, and 12 to 14 GDPR may amount to

up to 20.000.000 EUR or, in the case of an undertaking, up to 4% of the total annual

worldwideturnover ofthe preceding business year.The maximum amountofthefine in this

case, as provided for in Article 83.5, is therefore 20.000.000 EUR.

568. As these are, among other things, infringements of a fundamental right enshrined in

Article 8 of the Charter of Fundamental Rights of the European Union, the assessment of

their seriousness based on Article 83.2.a GDPR will be made in an autonomous manner.

569. Based on the elements developed above, the defendant's reaction to the proposed

sanction form, as well as the criteria listed in Article 83.2 GDPR, the Litigation Chamber

considers that the above-mentioned infringements justify to impose a compliance order in

er
conjunction with an administrative fine of 250.000 EUR (Article 100, § 1 , 13° and 101 DPA

Act) on the defendant, as an effective, proportionate and dissuasive sanction in light of

256See Annual Accounts 21/12/2020, available at https://cri.nbb.be/bc9/web/catalog?execution=e1s1.
257https://iabeurope.eu/wp-content/uploads/2019/08/TCF-Fact-Sheet_General.pdf
258 th
Totalling 74 CMPs on June 7 , 2021: https://iabeurope.eu/cmp-list/. The actual profit is likely to be higher, considering
the still increasing number of TCF participants.

124, Article 83 GDPR. In fixing this amount, the Litigation Chamber took into account the annual
259
business volume of the defendant, which amounted to 2.471.467 EUR in 2020 .

570. The amount of EUR 250.000 EUR remains, in view of the aforementioned elements,

proportionate to the infringements that have been established by the Litigation Chamber.

This amount is also much lower than the maximum amount of 20.000.000 EUR provided

for by Article 83.5 GDPR.

571. The Litigation Chamber is of the opinion that a lower fine would not meet, in the present

case,thecriteriarequired byArticle83.1oftheGDPR,accordingto whichthe administrative

fine must not only be proportionate, but also effective and dissuasive. These elements

derive from the principle of loyal cooperation described in Recital 13 GDPR (in line with

Article 4.3 of the Treaty on the European Union).

572. In view of the importance of transparency regarding the decision-making process of the

Litigation Chamber and in accordance with Article 100, §1, 16° of the DPA Act, this decision
260
is published on the website of the Data Protection Authority . Having regard to the

previous publicity surrounding this case, as well as the general interest to the public, also in

view of the a large number of data subjects and organisations involved, the Litigation

Chamber has decided not to delete the direct identification data of the parties and persons

mentioned, whether natural or legal persons.

259See Annual Accounts 21/12/2020 available at https://cri.nbb.be/bc9/web/catalog?execution=e1s1
260
See also para. 287.

125,FOR THESE REASONS,

the Litigation Chamber of the Data Protection Authority decides, after deliberation, to:

- order the defendant, pursuant to Article 100(1)(9) of the DPA Act, with a view to bring the

processing of personal data within the context of the TCF in line with the provisions of the

GDPR, by:

a. providing a valid legal basis for the processing and dissemination of users' preferences

within the context of the TCF, in the form of a TC String and a euconsent-v2 cookie, as

well as prohibiting, via the terms of use of the TCF, the reliance on legitimate interests as

a legal ground for the processing of personal data by organisations participating in the

TCF in its current form, pursuant to Articles 5.1.a and 6 of the GDPR;

b. ensuring effective technical and organisational monitoring measures in order to

guarantee the integrity and confidentiality of the TC String, in accordance with Articles

5.1.f, 24, 25 and 32 of the GDPR;

c. maintaining a strict audit of organisations that join the TCF in order to ensure that

participating organisations meet the requirements of the GDPR, in accordance with

Articles 5.1.f, 24, 25 and 32 of the GDPR;

d. taking technical and organisational measures to prevent consent from being ticked by

default in the CMP interfaces as well as to prevent automatic authorisation of

participating vendors relying on legitimate interest for their processing activities, in

accordance with Articles 24 and 25 of the GDPR;

e. forcing CMPs to adopt a uniform and GDPR-compliant approach to the information they

submit to users, in accordance with Articles 12 to 14 and 24 of the GDPR;

f. updating the current records of processing activities, by including the processing of

personal data in the TCF by IAB Europe, in accordance with Article 30 of the GDPR;

126, g. carrying out a data protection impact assessment (DPIA) with regard to the

processing activities under the TCF and their impact on the processing activities

carried out under the OpenRTB system, as well as adapting this DPIA to future

versions or amendments to the current version of the TCF, in accordance with

Article 35 of the GDPR;

h. appointing a Data Protection Officer (DPO) in accordance with Articles 37 to 39 of

the GDPR.

These compliance measures should be completed within a maximum period of six

months following the validation of an action plan by the Belgian Data Protection

Authority, which shall be submitted to the Litigation Chamber within two months after
er
this decision.Pursuantto Article100§ 1 , 12° oftheDPAAct, apenalty paymentof5.000

EUR per day will be due in case of failure to comply within the above-mentioned time

limits.

- impose an administrative fine of 250.000 EUR on the defendant pursuant to Article 101

of the DPA Act.

This decision may be appealed before the Market Court, pursuant to Article 108(1) of the DPA

Act, within a period of thirty days from its notification, with the Data Protection Authority as

defendant.

(signed) Hielke HIJMANS

President of the Litigation Chamber

127

↑ 9 M. VEALE, FR. ZUIDERVEEN BORGESIUS, "Adtech and Real-Time Bidding under European Data Protection Law", German Law Journal, 31 July 2021, p. 9.

[1] 9 M. VEALE, FR. ZUIDERVEEN BORGESIUS, "Adtech and Real-Time Bidding under European Data Protection Law", German Law Journal, 31 July 2021, p. 9.

[1]

@@ Line 84: / Line 84: @@
 Users' responses are coded and stored in a “T[ransparency and] C[onsent] string”, which are shared with the organisations participating in the OpenRTB system (the most widely used protocol for “Real-Time Bidding”) so that they know to what the user has consented/objected. The CMP also places a cookie (euconsent-v2) on the user’s device. When combined, the TC string and the euconsent-v2 cookie can be linked to the IP address of the user, therefore making the author of the preferences identifiable. The TCF plays a pivotal role in the architecture of the OpenRTB system, as it is the expression of users’ preferences regarding potential vendors and various processing purposes, including the offering of tailor-made advertisement.
-Since 2019, the Belgian DPA received a series of complaints about the the Transparency & Consent Framework ('TCF'). The complaints related to (i) the conformity of the TCF with the principles of legality, appropriateness, transparency, purpose limitation, storage restriction and security, as well as to accountability, and (ii) the responsibility of IAB Europe and other actors involved. Four of the nine total "''identical or very similar''" complaints were filed directly with the Belgian DPA, the rest with other DPAs which passed them on through the IMI system. They were considered by the Litigation Chamber of the DPA as its administrative dispute resolution body ([http://www.ejustice.just.fgov.be/cgi_loi/loi_a1.pl?language=fr&la=F&cn=2018073046&table_name=loi&&caller=list&F&fromtab=loi&tri=dd+AS+RANK&rech=1&numero=1&sql=(text+contains+(%27%27))#Art.32) Article 32 Belgian Data Protection Act])
+Since 2019, the Belgian DPA received a series of complaints about the Transparency & Consent Framework ('TCF'). The complaints related to (i) the conformity of the TCF with the principles of legality, appropriateness, transparency, purpose limitation, storage restriction and security, as well as to accountability, and (ii) the responsibility of IAB Europe and other actors involved. Four of the nine total "''identical or very similar''" complaints were filed directly with the Belgian DPA, the rest with other DPAs which passed them on through the IMI system. They were considered by the Litigation Chamber of the DPA as its administrative dispute resolution body ([http://www.ejustice.just.fgov.be/cgi_loi/loi_a1.pl?language=fr&la=F&cn=2018073046&table_name=loi&&caller=list&F&fromtab=loi&tri=dd+AS+RANK&rech=1&numero=1&sql=(text+contains+(%27%27))#Art.32) Article 32 Belgian Data Protection Act])
 === Holding ===
@@ Line 222: / Line 222: @@
 # To render the TCF compliant with the principles of lawfulness, fairness and transparency ([[Article 5 GDPR#1#a|Articles 5(1)(a)]] and [[Article 6 GDPR|6 GDPR]]) by establishing a legal basis for the processing as well as the sharing of user preferences in the context of the TCF, in the form of a TC String and euconsent-v2 cookie placed on the users' devices for this purpose. It added that "''any personal data collected so far by means of a TC String in the context of the globally scoped consents, which is no longer supported by IAB Europe, shall be deleted without undue delay by the defendant''" and that it should prohibit the use legitimate interest as a legal ground for processing by the organisations participating in TCF in its current format.
 # To render the TCF compliant with the transparency and information obligation (Articles [[Article 12 GDPR|12]], [[Article 13 GDPR|13]], and [[Article 14 GDPR|14]] of the GDPR), by requiring TCF-registered CMPs to take a harmonised and GDPR-compliant approach regarding the information to be provided to users through their interface. Namely, any information provided about the processing must be precise, concise and understandable in order to avoid users being surprised by subsequent processing of their personal data by parties other than the publishers or IAB Europe.
-# To ensure compliance of the TCF with the principles of integrity and security, as well as data protection by design and by default (under Articles 5(1)(f) and 32 GDPR, and 25 GDPR) by creating effective technical and organisational monitoring measures to facilitate the exercise of data subject rights and to fix the the possibility that signals are falsified; implementing a strict vetting process for organisations participating to the TCF; and prohibiting the "''activati[on] of a default consent''"
+# To ensure compliance of the TCF with the principles of integrity and security, as well as data protection by design and by default (under Articles 5(1)(f) and 32 GDPR, and 25 GDPR) by creating effective technical and organisational monitoring measures to facilitate the exercise of data subject rights and to fix the possibility that signals are falsified; implementing a strict vetting process for organisations participating to the TCF; and prohibiting the "''activati[on] of a default consent''"
 # To keep records of processing activities carried out in the framework of the TCF, and in particular relating to the 119 processing of users' preferences and consent in the form of a TC String and the placement of a cookie euconsent-v2 on their devices.
 # To carry out a data protection impact assessment, covering both the processing activities under the TCF and the impact of these activities on subsequent processing under the OpenRTB.