Court of Appeal of Brussels - 2022/AR/292
| Hof van Beroep - Tussenarrest 2022/AR/292 | |
|---|---|
 | |
| Court: | Court of Appeal of Brussels (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(1)(f) GDPR Article 5(1)(a) GDPR Article 6 GDPR Article 12 GDPR Article 13 GDPR Article 14 GDPR Article 24 GDPR Article 25 GDPR Article 30 GDPR Article 32 GDPR Article 35 GDPR Article 37 GDPR Article 38 GDPR Article 39 GDPR |
| Decided: | 07.09.2022 |
| Published: | |
| Parties: | |
| National Case Number/Name: | Tussenarrest 2022/AR/292 |
| European Case Law Identifier: | |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | Dutch |
| Original Source: | GBA (in Dutch) |
| Initial Contributor: | n/a |
The Belgian Court of Appeal (Marktenhof) referred two questions to the CJEU. It asked whether an TC-String (code containing the user's consent decision) is personal data and asked about the nature of joint controllers.
English Summary
Facts
The Belgian 'Gegevensbeschermingsauthoriteit' (DPA) received multiple complaints against IAB, a digital advertising company (alleged controller). The complaints concerned the ‘Transparency and Consent Framework (TCF), which was developed by the alleged controller. TCF is a standard technical framework that enables websites, advertisers and ad-agencies to obtain, record, and update consumer consent, objections and preferences for web pages. TCF was meant to help companies to become more GDPR compliant. Also, TCF makes it overall easier to record preferences of data subject for companies that use the so called ‘consent management platform’ (CMP), which is an interface that appears when a data subject first navigates to a websites or uses an application for the first time. Here, a data subject can give consent for the collecting and/or sharing of personal data or object to the processing of his/her data. These preferences are then saved and encoded in a ‘TC-string,’ which can be shared with other companies. The CMP also places a cookie on the device of the data subject in question. The TC string and this cookie could also be coupled with the IP-address of the data subject.
Following the several complaints, the DPA started an investigation into IAB. After the DPA finished its investigation, it fined the alleged controller €250,000. In its decision, the DPA held amongst other things that IAB was the controller with regard to the processing of the registration of consent and objection of data subjects in the TC-string.
The DPA also held that the alleged controller had to bring its processing activities in compliance with the GDPR. It had to provide a legal ground for processing in the context of TCF. It also needed to restrict its customers from using an opt-in consent in the CMP-interface, where data subjects would consent to legitimate interest (Article 6(1)(f) GDPR) as a legal basis. In addition, the alleged controller had to implement appropriate technical and organizational measures to guarantee the integrity and confidentiality of a TC-string and had to check its customers taking part in TCF if they were GDPR compliant.
The alleged controller appealed the DPA’s decision at the Belgian Court of Appeal. It requested the Court to overturn the previous decision on various grounds. It held amongst other things that it wasn’t the (joint) controller for processing operations with the TC-string. It also stated that it didn’t process personal data in the first place.
During this appeal, the complainants voluntarily joined the proceedings with their own requests, primarily supporting the DPA in its arguments. The main request of the complainants entailed the referral of questions to the European Court of Justice (CJEU). These were in essence the following:
Question 1: Is the TC-String (with or without a combination with an IP-address) personal data for the controller? Is a TC-String personal data? And in combination with an IP-address?
Question 2: Is IAB a (joint) controller?
Holding
The Court suspended the case and referred the following questions to the CJEU:
1)
Is the TC-string personal data (with or without a combination with an IP-address) for the alleged controller and/or with regard to companies that use the TC-string? (Article 4(1) GDPR)
2)
a) Is IAB a (joint) controller (Article 4(7) GDPR and Article 24(1) GDPR)?
b) Does it matter whether or not IAB has access to the personal data which is processed by companies that use the standards of IAB?
c) If IAB is indeed a (joint) controller, does this also entail responsibility for further processing by third parties regarding the preferences of data subjects, such as targeted online advertising?
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
