Another knot in the consent string? CJEU rules on TCF case

Today, the CJEU handed down its decision in IAB Europe C-604/22 (here), a case concerning IAB Europe’s Transparency and Consent Framework (TCF). This decision not only has major ramifications for the adtech industry but also has a significant bearing on the interpretation of the concepts of joint controllership and identifiability under the GDPR.

The TCF is a framework relied on by thousands of organisations in the adtech ecosystem in order to demonstrate compliance with the transparency and consent requirements of the GDPR and ePrivacy regime. However, the TCF has been under scrutiny from privacy groups and data protection authorities for some time now, who consider that it fails to enable the collection of informed and specific consents. In February 2022, the Belgian DPA issued a decision that found that the TCF did not comply with the GDPR. Following an appeal of the Belgian DPA’s decision by IAB in the Belgian courts, the CJEU was asked to answer two primary questions:

(1) Is IAB Europe a joint controller together with participants in the TCF (e.g. website publishers and adtech vendors)? 

(2) Does the transparency and consent string (the “TC String”) transmitted via TCF constitute personal data?

On the first question, the CJEU found that IAB Europe is a joint controller together with TCF participants. It said that a sectoral organisation such as IAB Europe, in offering its members a framework of policies and binding technical standards relating to their processing of personal data, such as the TCF, must be considered a joint controller together with those members for the generation of TC Strings, without the need to ever having access to the data itself. The Court reached that view on the basis that IAB Europe exerts influence, for its own purposes, over the determination of the purposes and means of its members’ processing. To reach this conclusion, the Court referred to the fact that IAB Europe promotes and enables the sale and purchase of advertising space by its members, and that the TCF imposes certain rules regarding the content of the TC String as well as its storage and sharing, the breach of which could enable IAB Europe to suspend their membership and exclude them from the TCF.

However, the CJEU found that IAB Europe could not be automatically considered a joint controller in relation to the downstream processing carried out by TCF participants following the initial generation of a TC String, or by third parties such as consent management platforms, publishers and adtech vendors. This would include the processing required to share this data with third parties and to offer personalised advertising to internet users. While the CJEU’s decision does not prevent the Brussels Court of Appeal from nevertheless concluding on the facts that IAB Europe’s influence extends beyond that initial processing step carried out by TCF participants, it does appear to make that potential outcome far less likely.

On the second question, perhaps unsurprisingly, the CJEU held that the TC Strings used by IAB members to register internet users’ consent preferences can constitute personal data, as they amount to information “relating to'' a natural person, and can be combined with other information such as users’ IP addresses to identify and target the person to which the information relates. It was not relevant to reach that conclusion whether IAB Europe could itself combine this information to profile users, but in any event the CJEU appeared to be inclined to agree with the Belgian DPA that IAB Europe was in possession of means reasonably likely to identify those users in accordance with Recital 26 GDPR, on the basis that it was able to demand access to some of its members’ TC String information. In this respect the CJEU endorsed the approach taken in the 2016 Breyer judgment, which considered identifiability from the perspective of whether the controller would have the legal means to obtain additional information which would enable identification.

Overall, the judgment demonstrates that the CJEU continues to take a fairly expansive view of the concepts of joint control and identifiability. For the adtech industry, whilst the judgment is a blow to IAB Europe, the TCF itself is likely to continue to be widely adopted particularly as IAB had already made various changes to try and address the earlier concerns raised by the Belgian DPA.