On March 7th, the Court of Justice of the European Union handed in its ruling regarding the ongoing legal proceedings between IAB Europe and the Belgian Data Protection Authority (APD) about the Transparency & Consent Framework (TCF). 


For context, the story dates back to February 2022, when the Belgian APD issued a decision against IAB Europe, citing issues with its Transparency and Consent Framework (TCF). The decision was appealed and reviewed by the Belgian Market Court, which issued additional questions to the CJEU. In the meantime, IAB Europe presented an action plan and eventually released TCF V2.2, a new iteration of its framework introducing new requirements for publishers.


Fast forward to last week, and the Court of Justice of the European Union (CJEU) responded to the preliminary questions raised, focusing on two main points out of the initially raised by the Belgian APD:


  • The Transparency & Consent (TC) String, the consent signal stored by players in the advertising industry, is considered personal data by the CJEU.

  • IAB Europe could be considered a joint data controller, depending on whether its influence is exercised for its own purposes.


Let's examine these two points in detail and their potential implications.


TL;DR—What should you do as a Didomi client? No immediate changes are planned, so no action is necessary. Follow us on our blog and social media channels for future developments, and if you have any questions, don't hesitate to contact your account manager.


The Transparency & Consent (TC) String as Personal Data


According to the decision of the Court of Justice of the European Union (CJEU), for information to be classified as personal data, it is not necessary that this information, taken in isolation, allows the direct identification of the person.


The CJEU explicitly acknowledges that the TC-String, in itself, does not constitute personal data. It is only the potential to associate it with another identifier (such as the IP address) that confers the status of personal data to the TC-String.


The Court specifies that it is the association of this information with other data, particularly concerning an identifiable physical person, that characterizes the result as personal data. This interpretation is based on the idea that one must consider "all means reasonably likely to be used" by the data controller or any other person to identify the physical person, directly or indirectly.


However, this interpretation raises a question when considering the specific case of IAB Europe in the context of the TC-String. For this organization, the idea that it could, or even would want to, use means to associate the TC-String with other personal data to make this information identifiable seems implausible. Indeed, IAB Europe, by the very nature of its role and operations, is not in a position where it can or wants to combine data in this way. Thus, one might wonder if the criterion of "means reasonably likely to be used" to identify a person has been fully considered in their case.


This leads to a reflection on the systematic attribution of the status of personal data to the TC-String in all contexts. Is it entirely justified to consider this information as personal data when the possibility of making it identifiable for certain entities like IAB Europe is non-existent?


IAB Europe as a data controller


The decision introduces a potentially new criterion for determining joint responsibility: the existence of one's own purposes.


Traditionally, joint responsibility was attributed to entities having a decisive influence on the purposes and means of processing personal data. However, this decision suggests that an entity can be considered a joint controller if it has its own purposes, in this case, “to facilitate and enable the sale and purchase of advertising space on the Internet by said operators.”


This expanded interpretation raises several important questions:


Standardization vs responsibility

Any organization that establishes rules or standards in an industry participates in standardization. Could the CJEU's decision mean that such organizations, regardless of their direct involvement in data processing, can be considered responsible solely because of these standardization activities?


By pushing this logic to its extreme, we could face unexpected and paradoxical consequences. 


Take, for example, national data protection authorities (DPAs), like the CNIL in France, which issue guidelines and recommendations regarding, among other things, the use of cookies. These authorities, through their actions, establish a certain form of standardization of practices within the digital space, with the explicit purpose (their “own purposes” in the sense of the CJEU’s ruling) of protecting users' privacy and personal data.


If we rigorously apply the criterion established by the CJEU concerning IAB Europe, a literal interpretation could also lead to considering these regulatory authorities as joint data controllers. Indeed, by establishing norms and regulatory frameworks, they directly influence the methods and objectives of data processing carried out by industry players.


This reductio ad absurdum highlights a notable paradox: entities whose primary mission is to create standards to guarantee a higher level of protection could be seen, according to this extreme interpretation, as stakeholders in these same processing activities. This perspective raises a fundamental question about the limits of joint responsibility and the importance of not excessively extending this notion, at the risk of diluting the real responsibility of actors directly involved in data processing.


Perverse effect on standardization practices

The broad attribution of joint responsibility to organizations responsible for standardizing market practices, as illustrated by the CJEU's decision concerning IAB Europe, raises pragmatic concerns. 


These organizations play a crucial role in harmonizing processes and facilitating exchanges within the digital market, thus making compliance more accessible to all players, including control authorities. The prospect of being assigned an extended and potentially heavy legal responsibility could discourage these entities from continuing their standardization efforts. 


This is particularly concerning since standardization is not only beneficial but also required to ensure consistent and secure practices in the processing of personal data in accordance with the GDPR’s requirements.


In the wake of this reflection, a pertinent question arises regarding the organizations that contribute to the development and approval of codes of conduct, like the one dedicated to Infrastructure-as-a-Service (IaaS) providers approved by the CNIL. These organizations, although they do not directly process personal data but rather facilitate the organization of practices within a specific sector, could be assigned joint processing responsibility under the current interpretation of the GDPR. 


However, it is important to emphasize that the GDPR, in its provisions relating to codes of conduct, does not explicitly establish that organizations supporting or promoting these codes be considered joint controllers of the data processing carried out by their members.


Systematically equating support for a code of conduct with joint responsibility in data processing could deter organizations from taking this path due to the potential legal responsibilities and risks involved.


We risk creating perverse effects by imposing an additional burden on organizations that facilitate compliance and market practice compliance. Instead of encouraging the creation and adoption of standards that ensure better personal data protection and greater transparency, this approach could lead to a reluctance to develop and follow such frameworks. The irony lies in the fact that while the GDPR promotes and requires standardized practices for data protection, the interpretation of joint responsibility could hinder this dynamic, counter to the objectives of the regulation.


Scope of responsibility

A major question remains: what is the real extent of IAB Europe's responsibility? 


Indeed, IAB Europe, as an entity, never accesses the TC String and, therefore, does not directly participate in the processing of personal data. Its main function lies in standardizing procedures for the collection of consent without direct influence on the specific data processing operations of its members. Thus, the impact of users' choices, whether they exercise their preferences or not, does not directly affect IAB Europe or its internal operations.


This situation raises the delicate question of determining how far IAB Europe's responsibility extends.


If this entity is considered a joint controller, what is the scope of this responsibility? Is it held responsible for the actions of all TCF members, including if some do not respect the policies established by the TCF? The establishment of such broad responsibility seems not only disproportionate but also potentially harmful to the entire digital ecosystem.


Attributing extended responsibility to IAB Europe could not only weaken this organization but also threaten the very viability of the standardization it seeks to promote. In a scenario where the legal and financial risks become unsustainable for IAB Europe, this could lead to the collapse of the TCF. The absence of a framework such as the TCF could reintroduce a "Wild West" environment characterized by various disparate and uncoordinated practices for processing user consent. This would complicate the task of market players seeking to comply with regulatory requirements and control authorities engaged in overseeing GDPR compliance across a much more fragmented and heterogeneous digital landscape.


Potential consequences of this decision?


In a context where the Belgian Court of Appeal considers IAB Europe a joint data controller of the TC-String, it is conceivable that the organization introduces a new specific purpose for processing this data. We could thus imagine the creation of a purpose for managing and preserving users' choices related to the protection of their personal data. This approach would aim to ensure transparent and compliant management of user consent preferences.


Moreover, integrating IAB Europe into cookie banners as a data controller raises the question of establishing an adequate legal basis for this processing. Among the legal bases provided by the GDPR, the obligation to comply with a legal obligation appears as a relevant option. This legal basis could justify the collection and processing of users' choices in compliance with the GDPR’s requirements. This could be the subject of version 2.3 of the TCF.


What's next?


On the continuation of the legal proceedings, the CJEU decision now guides the case to the Belgian Court of Appeal, which will have the European Court's answers and observations to continue its deliberations.


A decision by the Court of Appeal can be expected by the end of 2024 or early 2025. This new decision could mark an additional step in the judicial process without actually bringing the debate to a close.


This legal saga will likely continue to be at the center stage of the digital industry for years to come.