IAB Europe second preliminary question

The judgment of the Court of Justice of the European Union (“the Court“) in the case of IAB Europe v. Belgian Data Protection Authority (“GBA“) focused on two preliminary questions.[1] On the Court’s answer to the first preliminary question, whether a Transparency and Consent String (“TC String“) is personal data within the meaning of the General Data Protection Regulation (“GDPR“), we wrote a first blog. The Court’s answer to the second preliminary question, whether a standard-setting sector organization should qualify as a (joint) controller, is the subject of this blog.

Facts

IAB Europe is a Belgium-based sector organization (a non-profit association) for digital advertising and marketing in Europe. It has developed a Transparency and Consent Framework(“TCF“) used in the real-timesale and purchase of online personalized advertising space based on the so-called OpenRTB protocol (RTB stands for real time bidding). The TCF is a standard consisting of guidelines, instructions, technical specifications, protocols and contractual obligations that should enable both website or application providers and data brokers or advertising platforms to lawfully (in accordance with the GDPR) process personal data of users of an website or application. Part of the TCF is the Consent Management Platform(“CMP“) through which data subjects can express their consents and objections, which are then stored in the TC string. Starting in 2019, the GBA received several complaints from various countries, and in February 2022,[2] the GBA’s dispute resolution chamber ruled that IAB Europe is a data controller for the processing of the personal data in the TC string and as such has violated the GDPR, which resulted in IAB Europe being fined €250,000. IAB Europe contests, among other things, the qualification of data controller before the Court of Appeal Brussels, which court, as the referring court, asks the preliminary questions in these proceedings.

Second preliminary question

The second preliminary question answers the question whether Article 4(7) of the GDPR is to be interpreted as meaning that (1) a standard-setting sectoral organization which provides its members with a standard drawn up by it (including binding technical rules and regulations on how personal data are to be stored and disseminated) is to be regarded as a “data controller” and whether the answer to this question depends on whether that sectoral organization itself has direct access to the personal data processed by its members within that standard and (2) any joint responsibility of that sectoral organization automatically extends to subsequent processing of personal data by third parties – such as website or application providers – with respect to users’ preferences for the purpose of targeted online advertising.

Court’s response to the questions: the legal framework

In answering the questions, the Court starts by outlining the legal framework, providing a convenient and concise overview of relevant Court rulings. Read the overview here.

Court’s answer to the questions: application of legal framework to the facts

Specifically, the Court tests whether IAB Europe – given the particular circumstances of the case – exerts, for its own purposes, an influence over the processing of, inter alia, the TC string (personal data) and (thereby) determines, together with others, the purposes and means of that processing.

Purposes

The Court finds – subject to the verifications to be carried out by the referring court – that the primary purpose of the TCF is to promote and enable the sale and purchase of advertising space on the internet by online auction in a lawful way, namely in accordance with the GDPR. Therefore, according to the Court, it can be assumed that IAB Europe influences, for its own purposes, the processing of personal data at issue in the main proceedings and thereby determines, together with its members, the purpose of those processing operations.


Means

The Court finds – based on the file and again subject to the verifications to be made by the referring court – that the TCF is a standard that members of IAB Europe are expected to accept, as a condition of membership in the association. If a member of IAB Europe does not comply with the rules of the TCF, IAB Europe may suspend that member for non-compliance. This suspension decision may subsequently result in the member in question being excluded from the TCF and thus no longer able to rely on the GDPR compliance guarantee that the TCF is supposed to provide. Moreover, the TCF contains very precise technical specifications on the registration and processing of data subjects’ preferences to generate a TC string as well as on content, storage and sharing of the TC string, and rules on being able to consult preferences, objections and consents stored in the TC string by different parties involved in the TCF. According to the Court, the foregoing shows that IAB Europe exercises influence over the processing of personal data for its own purposes and thus, together with its members, determines the means of such processing. IAB Europe must therefore be considered a joint controller within the meaning of Article 4(7) and Article 26(1) GDPR.

No access to personal data

Referring to the 2018 Court judgment Jehovan todistajat, the Court notes that the circumstance that IAB Europe itself does not have direct access to the TC strings and the personal data processed by its members within the TCF does not preclude IAB Europe from being considered a (joint) controller.

(No) automatic joint controllership for subsequent processing

Further, the Court held that joint controllership does not automatically extend to subsequent processing of personal data by third parties (website or application providers and data brokers or advertising platforms). According to the Court, subject to verification by the referring court, IAB Europe is involved in the processing of personal data by its members (providers of websites or applications and data brokers or advertising platforms) only in the storage of consent preferences of data subjects in the TC string according to the TCF standard and not in the processing of personal data that companies and third parties subsequently perform on the basis of those preferences (for example, by forwarding those data to third parties or by offering personalized advertisements). Thus, the joint controllership of TC strings within the TCF does not (automatically) also mean joint controllership for subsequent processing of personal data by third parties of data subjects’ preferences for the purpose of targeted online advertising.

Analysis

Previous Court judgments (Wirtschaftsakademie Schleswig-Holstein, Jehovan todistajat, Fashion ID) already showed that the bar for joint controllership is low. This judgment is in line with previous case law. Moreover, in light of ensuring a high level of protection of data subjects, this judgement is not surprising.

The influence of IAB Europe in determining the means, based on the facts in the judgment, is evident. IAB Europe created a standard (the TCF) and gave very specific technical specifications and rules about the generation and use of the personal data (including the TC string). As a result, IAB Europe clearly determined the essential means[3] and thus “the how” of the processing. By determining the essential means, IAB Europe gained a privacy role and, moreover, moved beyond the role of processor. IAB Europe, merely by determining the essential means, thus had to qualify as a data controller.

In addition, according to the Court, IAB Europe exercised influence for its own purposes in determining the purpose of data processing. Although the Court does not say much about that determination – which is unfortunate for the practice and especially for sector organizations – this judgment of the Court can be followed in view of the facts of the case. As a sector organization it is of vital importance to be of optimal service to the members. After all, its right to exist is derived from this service. One way is to develop the standard in the sector concerned and to ensure that this standard is observed (enforceable). This creates a win-win situation: the sector organization serves its members and at the same time strengthens its right to exist. From this follows a (whether modest or not) own interest of IAB Europe that – subject to verification by the referring court – according to the Court is sufficient to conclude that IAB Europe exerts influence on the processing for its own purposes. However, it remains to be seen whether the referring court reaches the same conclusion. Moreover, the judgment raises the question whether an own interest of a sector organization as such is sufficient to establish that influence ‘for its own purposes’ is exercised, or whether there must (still) be a substantial degree of own interest on the part of the sector organization, and where in practice the boundary then lies. To be continued (hopefully).

At the same time, of course, IAB Europe did not act alone: the success of the TCF depends on the number of its users and on the involvement of the relevant and different parties involved in real-time bidding. Thus, the jointness is given, albeit that this joint controllership of IAB Europe does not mean joint responsibility and liability for all processing in the chain.

Relevance to sector/industry organizations

For sector organizations and industry associations, this ruling may have (far-reaching) consequences. It is important for a sector organization to consider its own influence on a data processing operation (which may consist of various stages and numerous processing operations) with regard to existing and future processing operations. As a sector organization, “influencing for one’s own purposes” the determination of the purpose of a data processing operation may be assumed relatively quickly, mindful of this judgment. However, assuming influence over the determination of means depends very much on the facts. What seems to be further relevant is whether there is a membership obligation that, if not complied with, could have adverse consequences for the member.

If there is joint controllership, this means that the sector organization must comply with the obligations of the GDPR that apply to (joint) data controllers. In addition, the obligations of Article 26 GDPR must be met, pursuant to which an arrangement between the joint controllers involved must be established. The essence of the arrangement must then be disclosed to data subjects.

Although in practice there is relatively much resistance to the role of joint controller – which, bearing in mind the joint responsibility and joint liability in itself, is not surprising – many objections can be removed by a good mutual arrangement between the joint controllers. It is then of great importance to delineate the various stages and operations per stage of data processing. This enhances transparency vis-à-vis those involved and – if all goes well – leads to consensus among the joint controllers about the degree of involvement, responsibility and the associated (acceptance of) liability. 

This blog was written by Marijn Rooke and Corine d’Hulst


[1] ECLI:EU:C:2024:214 .

[2] https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-21-2022.pdf

[3] “Essential means” are means that are closely related to the purpose and scope of the processing, such as the type of personal data being processed (“which data shall be processed?”), the duration of the processing (“for how long shall they be processed?”), the categories of recipients (“who shall have access to them?”) and the categories of data subjects (“whose personal data are being processed?”). Guideline 7/2020 on the concepts of “controller” and “processor” in the AVG, European Data Protection Board, July 7, 2021, marginal 40.