CJEU - C-604/22 - IAB Europe

From GDPRhub
CJEU - C-604/22 IAB Europe
Cjeulogo.png
Court: CJEU
Jurisdiction: European Union
Relevant Law: Article 4(1) GDPR
Article 4(7) GDPR
Article 26(1) GDPR
Decided: 07.03.2024
Parties:
Case Number/Name: C-604/22 IAB Europe
European Case Law Identifier: ECLI:EU:C:2024:214
Reference from: Court of Appeal of Brussels (Belgium)
Language: 24 EU Languages
Original Source: Judgement
Initial Contributor: mg

The CJEU held that a string used to inform advertisers of a user’s consent preferences is personal data and IAB Europe - the entity providing the framework for the use of such a string – controller under the GDPR. However, controllership does not extend to advertising processing activities that take place on the basis of the consent collected through the string.

English Summary

Facts

IAB Europe (‘IAB’) is an association of undertakings active in the field of digital advertising. IAB developed the “Transparency & Consent Framework” (“the TCF”) which provides a set of rules and technical standards for firms operating in this sector. The purpose is to make processing of personal data for online advertising compliant with the GDPR.

In particular, the TCF specifies how those operators should use the OpenRTB protocol, a widely used Real Time Bidding (‘RTB’) system. RTB consists in an instant and automated online auction of users profiles for the purpose of selling and purchasing advertising space online. When an internet user visits a webpage where advertising space is available, the server sends the user’s data to a platform where advertisers representing thousands of brands can bid in order to win a spot to display their advertisements. Advertisement is personalised in the sense that advertisers bid not only on the available space, but also on the basis of the features of the user visiting the page (such as location, marketing profiles, browsing history etc.).

As the bid entails processing of personal data, for this operation to be possible users are asked to give their consent when they first visit the publisher’s website through a Consent Management Platform (‘CMP’). Consent preferences are stored in a Transparency and Consent String (‘TC String’) that is subsequently shared with advertisers and data brokers, in order to show whether a user has given consent to the processing of personal data. In parallel, the CMP places a cookie – euconsent-v2 – on the user’s device. Importantly, the combination of a TC String and the euconsent-v2 cookie can reveal the user’s IP address.

On 2 February 2022, the Belgian DPA, acting as a LSA, found that TC Strings are personal data and IAB controller pursuant to the GDPR. The DPA found GDPR violations and imposed an administrative fine.

The IAB appealed the decision before the Court of Appeal of Brussels. They claimed that the TC String is not personal data pursuant to Article 4(1) GDPR and that IAB is not controller under Article 4(7) GDPR.

The court referred some preliminary questions to the CJEU. In particular, the referring court asked whether the TC String can be considered personal data and whether IAB was joint controller with its members with regard to the processing of such a string.

Holding

Concerning the first question, the CJEU highlighted that personal data under Article 4(1) GDPR is any information related to an identified or an identifiable person. A person can identifiable both directly and indirectly. With that, the CJEU means that it is not necessary that information alone allows the data subject to be identified. Personal is also data that can be attributed to a person by means of additional information. According to Recital 26 GDPR, identifiability is linked to the concept of reasonable means, in the sense that a controller does not need to have all the information that is necessary to identify: it is rather sufficient that the controller is in the position to retrieve such an identifying information without a disproportionate effort.

In the present case, the Court noted that a TC String, despite not containing elements that enable the identification of the data subject, still contains preferences that are specific to a single user. If the TC String is linked to an identifier, such as (but not only) an IP address, a specific user can be singled out and identified.

The Court stressed that the fact that IAB could not directly combine TC String with additional identifiers, nor have direct access to such identifiers, is irrelevant, as IAB was entitled to require this data through “external contributions” from its adhering members. This element was considered sufficient by the CJEU to meet the ‘reasonable means’ requirement for the identification of a person.

Concerning the second question, the Court reminded how the GDPR aims at guaranteeing a high level of protection of the fundamental rights and freedoms of natural persons, in particular as enshrined in Article 8(1) of the Charter. Therefore, the scope of Article 4(7) GDPR on the notion of controller shall be interpreted broadly.

To answer the question of controllership with regard to IAB, the Court then assessed whether the latter exerted influence over the processing for its own purposes and determined, jointly with others, purposes and means of the processing.

With regard to the purpose of the processing, the CJEU found that the TCF aimed at promoting and enabling the sale and purchase of advertising space on the internet by making such an activity compliant with the GDPR. In this context, IAB undoubtedly exerted an influence over a personal data processing data was undertaken for a purpose that belonged, among others, to IAB.

With regard to the means of the processing, the CJEU held that the members of IAB were supposed to accept IAB’s rules and technical standards. If they did not, IAB could suspend their participation in the TCF, making compliance with the GDPR in the context of RTB more complex. Moreover, IAB technical specifications included detailed rules on how to generate and store the TC String. Thus, IAB also largely determined the means of the processing.

However, the CJEU distinguished between certain processing operation for which IAB Europe actually determined purposes and means – e.g. the creation, sharing and storage of the TC String – and subsequent processing operations that are made possible by the TC String, but on which IAB did not exert any influence – such as the advertising operations (sharing, targeting) undertaken by entities on the basis of the user’s preferences stored on the TC String. The Court held that IAB was joint controller with its members only with regard to the first group of processing activities.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!