On 7 March 2024, the CJEU issued its judgment in the IAB Europe case (C-604/22). In this judgment, the CJEU clarified the notion of personal data and the role of parties under the GDPR in the AdTech sector, in particular with respect to IAB Europe’s Transparency and Consent Framework (TCF) and the so-called TC String. We set out the Court’s key findings below.
Background
IAB Europe represents stakeholders in the AdTech sector. Its TCF is a framework which aims to enable TCF participants (e.g. advertisers) to process users’ personal data in compliance with the GDPR in their digital ads activities.
Before ads can be displayed to users, users must consent to the use of their personal data for such purposes. The TCF encodes users’ preferences in an alphanumerical code – the so-called TC String. The TC String is then shared with various stakeholders (e.g. data brokers and advertising platforms), allowing them to understand users’ preferences.
Is the TC String personal data?
According to the CJEU, the TC String is considered personal data for IAB Europe – and therefore is subject to the GDPR – if IAB Europe has reasonable means to identify the users whom the TC String relates to. The latter should be verified by the national courts. The Court suggests that IAB Europe does have such reasonable means because it can compel TCF participants to provide it with additional information which would allow it to identify users.
Is IAB Europe a joint controller with TCF participants?
The CJEU holds that IAB Europe is a joint controller with TCF participants – and therefore co-responsible under the GDPR – if IAB Europe exerts influence on the processing of personal data for its own purposes and determines the purposes and means of such processing jointly with the TCF participants. This question is also for the national courts to verify. According to the CJEU, this appears to be the case because IAB Europe aims to promote and enable the sale and purchase of advertising space on the internet through its TCF. The Court considers the means for the processing of personal data to be the TCF because the TCF contains technical specifications and the precise rules relating to the processing of the TC String.
However, the Court holds that joint controllership should be limited to processing operations in which IAB Europe has exerted influence and determined their purposes and means. This means that joint controllership cannot be automatically extended to subsequent processing activities. The CJEU states that IAB Europe does not appear to be involved in the processing of personal data of TCF participants after the users’ preferences are recorded in the TC String, such as the actual offering of ads, but that this should be confirmed by the national courts.
Takeaways for businesses active in the AdTech sector
The CJEU judgment contains several assumptions on whether the TC String is personal data and whether and the extent to which IAB Europe is a joint controller with the businesses relying on the TCF. These assumptions are now subject to the national court’s verification. If the national court confirms these assumptions, this could bring significant changes to the roles, responsibilities and liabilities of all companies active in the digital ads eco-system. AdTech vendors, publishers and advertisers are recommended to assess the potential consequences of these changes and to develop appropriate mitigation strategies on that basis.