Last week’s IAB Europe CJEU judgment (Case C-604/22) was loaded with lots to unpack and has provided a healthy dose of food for thought for those in the data privacy world and AdTech industry. This Insight untangles the CJEU’s recent findings on the broad concepts of what constitutes ‘personal data’ and scenarios of ‘joint controllership’.

IAB Europe is a non-profit association established in Belgium which refers to itself as the "European-level association for the digital marketing and advertising ecosystem”. In 2017, IAB Europe announced the Transparency and Consent Framework (TCF), an accountability tool that relies on standardisation to facilitate compliance with certain provisions of the GDPR (including to provide for GDPR-level transparency and obtain GDPR-level consent for collecting personal data and inserting that data into “Real-Time Bidding” (RTB) processes, where companies bid on the chance to display ads to users based on their personal data).

Many companies participate in the TCF. These participants handle personal data about the inferred preferences and characteristics of individuals, some of which may be sensitive. Importantly, TCF participants also exchange information about whether and how individuals consent to these activities via a code known as the Transparency and Consent String (the TC String). The consent management platform also places a cookie on the user’s device. When the TC String and cookie are combined, they can be linked to that individual’s IP address.

The case so far

The CJEU’s ruling follows IAB Europe’s challenge to a 2022 ruling by the Belgian Data Protection Authority (APD), which stated that IAB Europe’s TCF model did not comply with the GDPR. In particular, the APD found that the TC String was personal data to IAB Europe, because, when combined with other data available to the TCF participants, the TC String could reveal individuals’ consent preferences. The APD also considered that:

a. IAB Europe was a joint controller with the TCF participants in certain contexts, because the TCF set rules around how those participants obtained consent for collecting and using personal data; and

b. IAB Europe was a joint controller for personal data later processed in the RTB ecosystem, outside of the TCF rules.

IAB Europe appealed the APD’s decision and the Belgian Court of Appeal subsequently requested clarification on the matter from the CJEU.

The CJEU ruling

The CJEU found:

1. A TC String is personal data from the perspective of IAB Europe when it is “linkable” to (associated with) other identifiers (such as an IP address).

2. In relation to joint controllership:

a. Where IAB Europe sets technical specifications and rules around how TCF participants process consent-related personal data, it will be deemed a joint controller.

b. However, IAB Europe is not automatically a joint controller for the further processing of personal data outside of the remit of the TCF. This takes a narrower view of IAB Europe’s role than the APD provided.

TC String as personal data

The CJEU’s ruling reflects that where information is associated with (or can be linked to) an identifier, that information may make it possible to create a profile of that individual and identify them, thus falling within the meaning of ‘personal data’ under the GDPR.

A particularly interesting point made by the CJEU is that the fact that IAB Europe “cannot itself combine the TC string with the IP address of the device of a user” (and therefore does not have access to the personal data processed by the TCF participants) does not change the conclusion that the TC String constitutes personal data. Reference is made to Recital 28 of the GDPR - in particular that “it is not required that all the information enabling the identification of the data subject must be in the hands of one person”. Ruling that the TC String constitutes personal data, even in instances where the information that would make an individual identifiable is not accessible, confirms that it is the mere possibility of identification (the “reasonably likely” possibility) that is enough to bring the information within the definition of personal data, and all information does not necessarily need to be accessible by one organisation.

The scope of ‘personal data’ under the GDPR has been covered in various CJEU judgments and is, of course, vital to the applicability of the GDPR. On the same day as the CJEU’s judgment for IAB Europe, the CJEU also handed down its judgment in OC v the European Commission (Case C-479/22) whereby the CJEU, in overturning the General Court’s decision, confirmed that the possibility of combining the data in question with additional information constitutes a “means reasonably likely to be used” to identify the data subject. This decision aligns with existing CJEU case law and confirms the broad scope of ‘personal data’.

Joint controllership

The judgment recognises (a) the broad definition of ‘controller’ under the GDPR and (b) that a natural/legal person who influences the processing of personal data “for purposes that are its own” (and thus participates in the determination of the purposes and means of that processing) can be categorised as a joint controller.

In coming to its decision, the CJEU therefore considered whether IAB Europe (a) exerts influence over the processing of personal data, such as the TC string, for its own purposes, and (b) determines, jointly with others, the purposes and means of such processing. The CJEU has adopted the view that IAB Europe does exert influence over the data processing for its own purposes and determines (jointly) the purposes of those operations. The CJEU suggests that (a) a compliance programme (such as the TCF) constitutes a ‘means’ of processing under the GDPR, and (b) that technical specifications are determinations of the ‘means’ of processing.

The judgment confirms the position that joint controllership:

a. is a matter of fact - it cannot be limited to analysing formal conditions (e.g. the existence of a joint controller agreement);

b. does not necessarily imply equal responsibility - the level of responsibility of each controller must be assessed in the light of all relevant circumstances; and

c. does not require each joint controller to have access to the personal data concerned.

However, the CJEU confirmed that the possible joint controllership of the sectoral organisations does not extend automatically to further processing carried out by third parties (such as website or application providers).

Key takeaways

Overall, the judgment demonstrates that the CJEU continues to adopt a wide approach to the concepts of joint controllership and identifiability of individuals under the GDPR.

Now that the CJEU has clarified the questions referred to it, the Belgian Court of Appeal will rule on the case. While we await that ruling, key takeaways from this judgment include:

  • Organisations should recognise that, even in cases where it is not immediately apparent that ‘personal data’ is being processed, if it is reasonably possible for the information to be combined with other information to enable the identification of an individual, the GDPR will be triggered.
  • Access to personal data is not a prerequisite of joint controllership; an organisation providing rules, or specifications, for the processing of personal data, may be caught by the definition.

Although the case is an EU case, it has the potential to impact companies in the UK, whether by virtue of those organisations being directly caught by the EU GDPR’s extra-territorial scope, or as a helpful indication of how similar UK GDPR concepts may be interpreted.

Please do contact TLT’s data protection team if you have any questions or would like to discuss how we can assist your organisation in achieving compliance with the GDPR.

Authors: Emma Erskine-Fox and Georgía Philippou

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at March 2024. Specific advice should be sought for specific cases. For more information see our terms & conditions.

Written by

Emma Erskine-Fox

Emma Erskine-Fox

Date published

15 March 2024

Get in touch

RELATED INSIGHTS AND EVENTS

View all