IAB Europe first preliminary question

When an internet user visits a website that displays personalized ads, advertisers can bid for ad space within split seconds to show advertising to the internet user. This is also known as “Real Time Bidding”. IAB Europe, an sector organization for digital advertising and marketing in Europe, developed the Transparency and Consent Framework (“TCF”) through which it aimed to bring this Real Time Bidding practice in line with the General Data Protection Regulation (“GDPR“). This includes storing the internet user’s cookie preferences in a Transparency and Consent string (“TC string“). The Belgian regulator, the Data Protection Authority (“GBA“), imposed a fine on IAB Europe because – in a nutshell – the TC string is personal data and IAB Europe, as a data controller, did not act in accordance with the GDPR.

On March 7, 2024, the Court of Justice of the European Union (“the Court“) ruled in the IAB Europe/GBA judgment in response to the first preliminary question that a TC string is personal data within the meaning of the GDPR.[1] This first blog explains how the Court reached that conclusion. The answer to the second preliminary question, whether a standard-setting sector organization should qualify as a (joint) controller, is the subject of the second blog.

TC String

The TC string consists of letter and character strings in which the internet user’s preferences are encoded. From this TC string it can be deduced whether an internet user has consented or objected to the processing of his/her personal data. These preferences relate to the specific purposes for processing, such as marketing or advertising, as well as the parties with whom the personal data may be shared.

Personal data?

Personal data refers to any information about an identified or identifiable person (Article 4(1) GDPR). This occurs when information is directly or indirectly traceable to a natural person. However, the referring Belgian court doubts whether a TC string falls under this definition. It has been established that a TC string, together with a specific cookie, can be linked to the IP address of the internet user. IAB Europe states that only its participants have the necessary data to link the TC string to an IP address. IAB Europe itself does not have access to that additional data from its participants. The referring court specifically asks the Court whether the TC-string (i) for IAB Europe and (ii) for the participants can be qualified as personal data.

Case law on the concept of personal data

In light of previous case law of the Court on the concept of “personal data,” it is understandable that the referring court specifically asks whether the TC string is personal data from the standpoint of IAB Europe and that of its participants.

As it happens, it follows from the Breyer ruling[2] that for the purpose of answering the question of whether information is personal data, it does not matter that a party does not himself possess all the information that could lead to the identification of a person. What matters is whether a party possesses means that can reasonably be used to identify a person.[3] In the Breyer case, the provider of online media services had legal means to request additional data from the internet service provider that could be used to link the internet user to the dynamic IP address. The dynamic IP address was therefore personal data for the online media service provider.

In early April 2023, the Court held in its SRB/EDPS judgment[4] that it follows from the Breyer judgment that you have to assess from the perspective of each individual party whether information concerns personal data for that individual party. That one party (the ‘Single Resolution Board’, or in Dutch, the ‘Gemeenschappelijke Afwikkelingsraad’, (“SRB“)) has (additional) data to identify a person does not automatically mean that the other party (Deloitte) can reasonably have it. The Court required the EDPS to further investigate and substantiate that Deloitte would actually be able to identify a person on the basis of the information made available to it by SRB and given the means that Deloitte could reasonably use to identify a person.[5]

Subsequently, in the dispute between Gesamtverband Autoteile-Handel eV v. Scania at the end of 2023[6] , the Court held that a vehicle identification number (“VIN“) in itself isnot personal data for car manufacturers and independent operators. However, the VIN becomes indirectly traceable personal data when a party (car manufacturer or independent operator) has reasonable means to use the VIN, in combination with additional data, to identify a natural person.

The fact that the perspective of the recipients and the reasonable means available to them must be taken into account when assessing whether a piece of data is ‘personal data’ was recently confirmed by the Court in the OC v. Commission judgment.[7] In it, the Court ruled that when publishing data in a press release, consideration must be given to whether readers have means of tracing that data. In this regard, the Court considers relevant whether the content of the press release is newsworthy, thereby prompting readers, especially journalists, to investigate.

Is the TC string personal data for IAB Europe?

Going back to the case of IAB Europe, the Court does not seem to deviate from the line in the aforementioned rulings. The Court concludes that a TC string can be personal data because a user can be identified by linking the data from the string to other data, such as the IP address. In its assessment, the Court emphasizes that it is irrelevant in this situation that IAB Europe itself could not link the IP address to the TC string. Nor is it relevant that IAB Europe did not have access to the data processed within TCF by its members.[8] In doing so, the Court does not appear to attach any importance to the fact that IAB Europe does not have direct access to all data that could lead to identification. However, the Court goes on to say that IAB Europe can apparently require its members to provide, upon request, any information that would allow them to identify users whose data is stored in a TC string. If these rules were not followed, members could be suspended and excluded from the TCF. Because IAB Europe agreed this with its members, it may have had (indirect) access to data. The Court held that the latter should be verified by the national court.

Conclusion following the IAB Europe/SRB ruling

Following the Breyer judgment, the IAB Europe judgment confirms that a contractual obligation may be a means that can reasonably be used to obtain data that could lead to the identification of a person. However, the Court leaves room for the question about the qualification of the data for IAB Europe if the referring court concludes that IAB Europe does not itself possess the means that could reasonably lead to the identification of a person. In line with the aforementioned case law, the conclusion could be that it is indirect personal data for IAB Europe in that case. The rulings provide guidance for determining whether a piece of data is personal data, however, it does not make it much easier to determine.

This blog was written by Corine d’Hulst and Marijn Rooke

[1] ECLI:EU:C:2024:214.

[2] ECLI:EU:C:2016:779.

[3] Reasonable means did not exist, according to the Court in the Breyer decision, if identification was prohibited by law or impracticable.

[4] ECLI:EU:T:2023:219

[5] This ruling was appealed to the Court of Appeals.

[6] ECLI:EU:C:2023:837

[7] ECLI:EU:C:2024:215

[8] ECLI:EU:C:2024:214, para. 46