Request for a preliminary ruling from the Hof van beroep te Brussel (Belgium) lodged on 19 September 2022 – IAB Europe v Gegevensbeschermingsautoriteit; Other parties: TR and Others

(Case C-604/22)

Language of the case: Dutch

Referring court

Hof van beroep te Brussel

Parties to the main proceedings

Applicant: IAB Europe

Defendant: Gegevensbeschermingsautoriteit

Other parties: TR, UV, SP, Fundacja Panoptykon, Stichting Bits of Freedom, Ligue des Droits Humains VZW

Questions referred

(a) Must Article 4(1) of Regulation (EU) 2016/679 ¹ of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, read in combination with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a character string that captures the preferences of an Internet user in connection with the processing of his or her personal data in a structured and machine-readable manner constitutes personal data within the meaning of the said provision in respect of (1) a sectoral organisation which makes available to its members a standard whereby it prescribes to them how that string should be generated, stored and/or distributed practically and technically, and (2) the parties that have implemented that standard on their websites or in their apps and thus have access to that string?

(b)    Does it make a difference in that regard if the implementation of the standard means that this string is available together with an IP address?

(c)    Does the answer to questions 1(a) and 1(b) lead to a different conclusion if this standard-setting sectoral organisation does not itself have legal access to the personal data that are processed within this standard by its members?

(a) Must Articles 4(7) and 24(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, read in combination with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a standard-setting sectoral organisation must be classified as a controller if it offers its members a standard for managing consent which contains, in addition to a binding technical framework, rules setting out in detail how those consent data – which constitute personal data – must be stored and disseminated?

(b)    Does the answer to question 2(a) lead to a different conclusion if this sectoral organisation itself does not itself have legal access to the personal data that are processed within this standard by its members?

(c)    If the standard-setting sectoral organisation must be designated as a controller or a joint controller for the processing of Internet users’ preferences, does that (joint) responsibility of the standard-setting sectoral organisation therefore automatically extend to the subsequent processing by third parties for which the Internet users’ preferences were obtained, such as targeted online advertising by publishers and vendors?

____________