On 7 September 2022, the Belgian Court of Appeal issued a judgment (the “Judgment”) in the appeal by IAB Europe against the decision of 2 February 2022 (the “Decision”) of the Belgian Data Protection Authority (the “APD”) against IAB Europe regarding the operation of the Transparency and Consent Framework (the “TCF”). For details of the Decision, see our original article here.
The Judgment has resulted in several key questions being raised to the Court of Justice of the European Union (“CJEU”) for further determination – the outcome of these questions will be key not just to this case but also more broadly given their fundamental nature.
Key Summary: the original Decision
- The TCF intends to provide a standardised method through which all stakeholders in the adtech ecosystem (publishers, vendors and, indirectly, advertisers) can technically communicate an end user’s choices and preferences as to how personal data relating to that user may be used. This includes obtaining and communicating a user’s informed consent to processing of such data for a number of predefined purposes.
- Operation of the TCF is undertaken through the use of consent management platforms (“CMPs”) that are displayed to a user on a given publisher site. CMPs provide users with relevant required transparency information and permit them to accept/reject their data being used for the specified purposes.
- IAB Europe presents the TCF as simply being a framework to allow participants to communicate in a standardised manner. By creating certain rules, parameters and structure around the framework, and requiring certification for participation for certain types of organisations, IAB Europe intends for TCF to provide a controlled, trusted environment for user preferences to be collected and communicated.
- Key to the TCF is the Transparency and Consent String (“TC String”). This defined set of letters and numbers is generated by the CMP and encapsulates the user’s preferences in a standardised manner. This is then subsequently communicated throughout the adtech ecosystem to indicate that user’s preferences to those parties that do not have a direct path to the user themselves (for example, adtech vendors and advertisers).
- In the Decision, the APD held that:
- the TC String, although itself not able to directly identify a user, can be combined with a user’s IP address to indirectly identify an individual, making it personal data.
- the processing of the TC String itself is therefore processing of personal data its own right, even if processed to communicate “no consent”;
- in its current form, TCF, as implemented by CMPs, does not provide a valid lawful basis for processing personal data, therefore a lawful basis cannot be communicated through the adtech ecosystem under TCF;
- IAB Europe is a data controller in respect of the TCF and the processing of data through the framework, and a joint controller with other participating organisations of the TC String; and
- currently, IAB Europe does not sufficiently monitor and police participating organisations’ compliance with the rules of the TCF.
The Decision resulted in certain key findings summarised above that were then appealed by IAB Europe.
The appeal grounds developed by IAB Europe can be grouped around three categories: (1) grounds on procedural grounds; (2) grounds contesting that the TC String constitutes personal data for IAB Europe, and that IAB Europe acts as a joint data controller in relation to such data; and (3) since IAB Europe believes it is not the case, grounds contesting it had violated several of its obligations under the General Data Protection Regulation (“GDPR”).
Below, we will elaborate on how the Court of Appeal responded to these grounds of appeal.
1. Procedural grounds of appeal
It is important to note that an appeal against a decision of the APD through the Court of Appeal is not a classic appeal; rather the procedure is a form of judicial review in the sense that the Court will assess whether the decision taken by the APD was lawful. If this is not the case, the Court of Appeal will annul the decision of the APD. However, in principle, the Court will not make an entirely new decision, nor entirely substitute itself for the APD, particularly in relation to substantive interpretative matters.
The first eight of IAB Europe’s appeal grounds were mainly based on procedural grounds and were clearly aimed at convincing the Court to annul the Decision. These arguments were quite diverse in nature, and some quite fundamental. For example, IAB Europe argued, amongst other things, that:
- the APD’s inspection report was inappropriately motivated, incomplete and biased (second ground of appeal);
- the fines imposed under the Belgian Data Protection Act in conjunction with Article 83 GDPR are disproportionate and violate the principle of material lawfulness guaranteed by Articles 6 and 7 of the European Convention of Human Rights and Article 47 of the Charter of Fundamental Rights of the European Union (“ECHR”) (third ground of appeal);
- the amount of the fine was insufficiently motivated pursuant to the criteria under Article 83(2) GDPR (fourth ground of appeal); and
- the nomination of the members of the APD Litigation Chamber by the Belgian Parliament was in breach of Article 53 GDPR and therefore illegal (sixth ground of appeal).
Most of these grounds of appeal were dismissed by the Court of Appeal. However, it partly followed IAB Europe in its seventh and eight grounds of appeal that the APD should not have included in the Decision additional allegations and complaints from the complainants about the qualification of the TC String as being personal data that were submitted after the hearing and simply incorporated into the Decision, leading to a violation of the principle of due care. The decision on what consequences the Court of Appeal attaches to this violation and whether it results in a challenge to the validity of the Decision as a whole is stayed pending the proceedings before the CJEU (see below).
In previous cases, the APD has had a poor track record before the Court of Appeal, with roughly 80% of all admissible appeals against decisions of the APD resulting in the decision being annulled, mostly on the basis of procedural grounds (for more information, see our article about GDPR Enforcement in Belgium here). Contrary to this usual position, in this case, the Decision and the manner in which the APD conducted the proceedings against IAB Europe were mainly upheld by the Court of Appeal. It is therefore not surprising that the APD, which was defending what is undoubtedly the most significant decision it has yet taken, mentioned in its statement on the Judgment that “it is pleased with this decision.”
2. Referral of questions to the CJEU
As requested by all parties to the Decision, given the importance of the Court’s judicial review of the Decision and the wider importance beyond this case, particularly with regard to clarifying the position on key concepts of the GDPR (such as the definition of data controller) and its applicability to framework designers, the Court of Appeal decided to refer the following questions to the CJEU:
Is the TC String, whether in combination with an IP address or otherwise, personal data for IAB Europe?
- Should Article 4(1) of the GDPR, read in conjunction with Articles 7 and 8 of the ECHR, be construed as meaning that a character string indicating the preferences of an internet user in connection with the processing of his personal data in a structured and machine readable manner constitutes personal data within the meaning of the aforementioned provision in relation to:
- a sectoral organisation which makes available to its members a standard by means of which it prescribes the practical and technical manner in which that character string must be generated, stored and/or disseminated, and
- the parties which have implemented that standard on their websites or in their apps and which thus have access to that character string?
- does it make a difference if the implementation of the standard means that this string is available together with an IP address?
- Does the answer to questions (a) + (b) lead to a different conclusion if this standard-setting sector organisation itself does not have legal access to the personal data processed by its members within this standard?
Is IAB Europe a joint data controller?
- Should Articles 4(7) and 24(1) of the GDPR, read in conjunction with Articles 7 and 8 of the ECHR, be construed as meaning that a standards-setting trade association must be classified as a data controller if it offers its members a standard for managing consent which, in addition to a binding technical framework, contains rules laying down in detail how consent data, that is personal data, is to be stored and disseminated?
- Does the answer to question (a) lead to a different conclusion if this sector organisation itself has no legal access to the personal data processed by its members within this standard?
- If the standard-setting sector organisation must be designated as the data controller or joint data controller for the processing of the preferences of Internet users, does that (joint) responsibility of the standard-setting sector organisation also automatically extend to the subsequent processing by third parties for which the preferences of Internet users were obtained, such as targeted online advertising by publishers and vendors?
3. Consequential violation of several GDPR obligations
As mentioned in our previous article, not only did the APD in its Decision decide that the TC String does constitute personal data for IAB Europe’s purposes, and that IAB Europe acts as a joint controller in relation to such personal data, it also found that IAB Europe had failed to comply with several GDPR obligations (e.g., failing to appoint a data protection officer, conduct data protection impact assessments, and maintain records of processing activities).
As these GDPR obligations arise as a result of the TC String being considered personal data (where IAB Europe did not consider this to be the case prior to the Decision), and the answers from the CJEU on the referred questions will determine whether this classification of the TC String is correct, the Court of Appeal has suspended its Judgment on these aspects in particular pending the case before the CJEU.
As it currently stands, the Judgment is stayed pending resolution of the above questions by the CJEU. Given the usual speed of this process, we would not expect any further Judgment before 2024. Although this does not act to suspend the Decision itself, it seems likely that, pending proceedings before the CJEU, the APD will not seek enforcement of the Decision.
Whilst the referred questions are vitally important, not just to this case but to the industry more broadly, the associated timeframes for the referral and the relevant response means that the industry, unfortunately, remains in a period of uncertainty as to the ongoing validity of the TCF as a means of obtaining and communicating user consent in the adtech ecosystem. Although this would seem to grant some short-term respite given that it would seem unlikely, though not guaranteed, for other regulators to enforce against the use of TCF pending the CJEU’s responses, it does not provide any longer-term certainty at this stage.
There is, however, no need to immediately panic – as stated previously, the adtech ecosystem will not stop functioning in Europe tomorrow. Our previous recommendations still apply, and at this stage, the most that users of TCF can do is wait and see.