Case C‑604/22
IAB Europe
v
Gegevensbeschermingsautoriteit
(Request for a preliminary ruling from the hof van beroep te Brussel)
Judgment of the Court (Fourth Chamber) of 7 March 2024
(Reference for a preliminary ruling – Protection of natural persons with regard to the processing of personal data – Regulation (EU) 2016/679 – Standard-setting sectoral organisation proposing to its members rules on the processing of users’ consent – Article 4(1) – Concept of ‘personal data’ – String of letters and characters capturing, in a structured and machine-readable manner, the preferences of an internet user relating to the consent of that user to the processing of his or her personal data – Article 4(7) – Concept of ‘controller’ – Article 26(1) – Concept of ‘joint controllers’ – Organisation which does not itself have access to the personal data processed by its members – Responsibility of the organisation extending to the subsequent processing of data carried out by third parties)
1. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Concept of personal data – String of letters and characters containing the preferences of an internet user relating to his or her consent to the processing of his or her personal data – Included – Condition – String allowing the data subject to be identified – No possibility for a sectoral organisation holding that string to access the data processed by its members or to combine that string with other factors – Irrelevant
(European Parliament and Council Regulation 2016/679, Art. 4(1))
(see paragraphs 41-51, operative part 1)
2. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Concept of joint controllers – Standard-setting sectoral organisation proposing to its members rules on the processing of users’ consent – Included – Condition – Influence exerted by that organisation over the personal data processing at issue and determination by it, jointly with its members, of the purposes and means of such processing – Organisation which does not have direct access to the personal data processed by its members – Irrelevant
(European Parliament and Council Regulation 2016/679, Arts 4(7) and 26(1))
(see paragraphs 57-68, 77, operative part 2)
3. Protection of natural persons with regard to the processing of personal data – Regulation 2016/679 – Joint controllership – Standard-setting sectoral organisation proposing to its members rules on the processing of users’ consent – Joint controllership of that organisation extending automatically to the subsequent processing of data carried out by third parties – None
(European Parliament and Council Regulation 2016/679, Arts 4(7) and 26(1))
(see paragraphs 74-77, operative part 2)
Résumé
Asked to give a preliminary ruling, the Court of Justice clarifies, first, the concept of ‘personal data’ (1) and, second, the circumstances in which a sectoral organisation, in so far as it proposes to its members a framework of rules relating to consent to the processing of personal data, must be classified as a ‘joint controller’. (2) The Court also sets the limits of the joint controllership of such an organisation.
IAB Europe is a non-profit association established in Belgium which represents undertakings in the digital advertising and marketing sector at European level.
IAB Europe has drawn up the Transparency & Consent Framework (‘the TCF’), a framework of rules intended to ensure that the processing of personal data of a user of a website or application carried out by certain operators is in compliance with the GDPR. The TCF promotes compliance with the GDPR when those operators rely on the OpenRTB protocol, which is used for Real Time Bidding, an instant and automated online auction system of user profiles for the purpose of selling and purchasing advertising space on the internet.
In that context, the TCF facilitates the recording of users’ preferences which are subsequently encoded and stored in a string composed of a combination of letters and characters referred to by IAB Europe as the Transparency and Consent String (‘the TC String’). That string is shared with personal data brokers and advertising platforms participating in the OpenRTB protocol, so that they know to what the user has or has not consented. A cookie is also placed on the user’s device; that cookie, when combined with the TC String, can be linked to that user’s IP address.
Following a number of complaints against IAB Europe, the Litigation Chamber of the Gegevensbeschermingsautoriteit (Data Protection Authority, Belgium), by its decision of 2 February 2022, ordered IAB Europe, the data controller, to bring into conformity with the provisions of the GDPR the processing of data carried out in the context of the TCF.
IAB Europe brought an action against that decision before the hof van beroep te Brussel (Court of Appeal, Brussels, Belgium). Having doubts as to whether a TC String, be it combined with an IP address or not, constitutes personal data and, if so, whether IAB Europe must be classified as a data controller in the context of the TCF, in particular with regard to the processing of the TC String, the Court of Appeal, Brussels, has made a reference to the Court of Justice for a preliminary ruling.
Findings of the Court
In the first place, the Court notes that a string composed of a combination of letters and characters, such as the TC String, contains the preferences of a user of the internet or of an application relating to that user’s consent to the processing by third parties of personal data concerning him or her or relating to any objection by him or her to the processing of such data based on an alleged legitimate interest. (3)
In that regard, the Court considers that, in so far as associating the TC String with the IP address of a user’s device or with other identifiers allows that user to be identified, the TC String contains information concerning an identifiable user and therefore constitutes personal data. (4) Furthermore, the fact that IAB Europe cannot itself combine the TC String with the IP address of a user’s device and does not have the possibility of directly accessing the data processed by its members in the context of the TCF does not preclude a TC String from being classified as ‘personal data’. (5)
Moreover, the members of IAB Europe are required to provide that organisation, at its request, with all the information allowing it to identify the users whose data are the subject of a TC String. It therefore appears, subject to the verifications which are for the referring court to carry out, that IAB Europe has reasonable means allowing it to identify a particular natural person from a TC String, on the basis of the information which its members and other organisations participating in the TCF are required to provide to it. (6)
Thus, the Court concludes that a TC String constitutes personal data within the meaning of Article 4(1) of the GDPR. It is irrelevant that, without an external contribution which it is entitled to require, such a sectoral organisation can neither access the data that are processed by its members under the rules which it has established nor combine the TC String with other identifiers, such as the IP address of a user’s device.
In the second place, the Court examines whether IAB Europe may be regarded as a joint controller. (7) To that end, it is necessary to assess whether that organisation exerts influence over the processing of personal data, such as the TC String, for its own purposes, and determines, jointly with others, the purposes and means of such processing.
As regards, first of all, the purposes of such data processing, the Court notes that the TCF established by IAB Europe aims, in essence, to promote and enable the sale and purchase of advertising space on the internet by certain operators which participate in the online auctioning of advertising space. Accordingly, subject to the verifications which are for the referring court to carry out, IAB Europe exerts influence over personal data processing operations for its own purposes and determines, as a result, jointly with its members, the purposes of such operations.
Next, as regards the means employed for the purposes of that processing, the Court observes, subject to the verifications to be carried out by the referring court, that the TCF constitutes a framework of rules which the members of IAB Europe are supposed to accept in order to join that association. In particular, if one of its members does not comply with those rules, IAB Europe may adopt a non-compliance and suspension decision which may result in the exclusion of that member from the TCF and prevent it from relying on the guarantee of GDPR compliance provided by the TCF with regard to the data processing carried out using TC Strings. Furthermore, the TCF established by IAB Europe contains technical specifications relating to the processing of the TC String as well as precise rules regarding the content, storage and sharing of the TC String. Moreover, the Court points out that IAB Europe prescribes, as part of those rules, the standardised manner in which the various parties involved in the TCF may consult the preferences, objections and consents of users contained in the TC Strings.
In those circumstances, and subject to the abovementioned verifications, the Court concludes that a sectoral organisation such as IAB Europe exerts influence over personal data processing operations for its own purposes, and determines, as a result, jointly with its members, the means behind such operations. It must therefore be regarded as a ‘joint controller’. (8)
Lastly, the Court states that there is a distinction between the processing of personal data carried out by the members of IAB Europe, such as website or application providers, data brokers or advertising platforms, when the consent preferences of the users concerned are recorded in a TC String in accordance with the rules established in the TCF, on the one hand, and the subsequent processing of such data carried out by those operators and by third parties on the basis of those preferences, such as the transmission of the data to third parties or the offering of personalised advertising to those users, on the other.
Accordingly, a sectoral organisation, such as IAB Europe, may be regarded as a controller in respect of such subsequent processing only where it is established that that organisation has exerted an influence over the determination of the purposes and means of that processing, which it is for the referring court to ascertain.