Hof van Beroep - Tussenarrest 2022/AR/292

From GDPRhub
Hof van Beroep - Tussenarrest 2022/AR/292
Courts logo1.png
Court: Court of Appeal of Brussels (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5(1)(f) GDPR
Article 5(1)(a) GDPR
Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 24 GDPR
Article 25 GDPR
Article 30 GDPR
Article 32 GDPR
Article 35 GDPR
Article 37 GDPR
Article 38 GDPR
Article 39 GDPR
Decided: 07.09.2022
Published:
Parties:
National Case Number/Name: Tussenarrest 2022/AR/292
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: GBA (in Dutch)
Initial Contributor: n/a

The Belgian Court of Appeal (Marktenhof) referred two questions to the CJEU. It asked whether an TC-String (code containing the user's consent decision) is personal data and asked about the nature of joint controllers.

English Summary[edit | edit source]

Facts[edit | edit source]

The Belgian 'Gegevensbeschermingsauthoriteit' (DPA) received multiple complaints against IAB, a digital advertising company (alleged controller). The complaints concerned the ‘Transparency and Consent Framework (TCF), which was developed by the alleged controller. TCF is a standard technical framework that enables websites, advertisers and ad-agencies to obtain, record, and update consumer consent, objections and preferences for web pages. TCF was meant to help companies to become more GDPR compliant. Also, TCF makes it overall easier to record preferences of data subject for companies that use the so called ‘consent management platform’ (CMP), which is an interface that appears when a data subject first navigates to a websites or uses an application for the first time. Here, a data subject can give consent for the collecting and/or sharing of personal data or object to the processing of his/her data. These preferences are then saved and encoded in a ‘TC-string,’ which can be shared with other companies. The CMP also places a cookie on the device of the data subject in question. The TC string and this cookie could also be coupled with the IP-address of the data subject.

Following the several complaints, the DPA started an investigation into IAB. After the DPA finished its investigation, it fined the alleged controller €250,000. In its decision, the DPA held amongst other things that IAB was the controller with regard to the processing of the registration of consent and objection of data subjects in the TC-string.

The DPA also held that the alleged controller had to bring its processing activities in compliance with the GDPR. It had to provide a legal ground for processing in the context of TCF. It also needed to restrict its customers from using an opt-in consent in the CMP-interface, where data subjects would consent to legitimate interest (Article 6(1)(f) GDPR) as a legal basis. In addition, the alleged controller had to implement appropriate technical and organizational measures to guarantee the integrity and confidentiality of a TC-string and had to check its customers taking part in TCF if they were GDPR compliant.

The alleged controller appealed the DPA’s decision at the Belgian Court of Appeal. It requested the Court to overturn the previous decision on various grounds. It held amongst other things that it wasn’t the (joint) controller for processing operations with the TC-string. It also stated that it didn’t process personal data in the first place.  

During this appeal, the complainants voluntarily joined the proceedings with their own requests, primarily supporting the DPA in its arguments. The main request of the complainants entailed the referral of questions to the European Court of Justice (CJEU). These were in essence the following:

Question 1: Is the TC-String (with or without a combination with an IP-address) personal data for the controller? Is a TC-String personal data? And in combination with an IP-address?

Question 2: Is IAB a (joint) controller?

Holding[edit | edit source]

The Court suspended the case and referred the following questions to the CJEU:

1)

Is the TC-string personal data (with or without a combination with an IP-address) for the alleged controller and/or with regard to companies that use the TC-string? (Article 4(1) GDPR)

2)

a) Is IAB a (joint) controller (Article 4(7) GDPR and Article 24(1) GDPR)?

b) Does it matter whether or not IAB has access to the personal data which is processed by companies that use the standards of IAB?

c) If IAB is indeed a (joint) controller, does this also entail responsibility for further processing by third parties regarding the preferences of data subjects, such as targeted online advertising?

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.