On March 7, 2024, the Court of Justice of the European Union (CJEU) published its judgment in Case C-604/22 IAB Europe v Gegevensbeschermingsautoriteit. The CJEU clarified the notion of personal data, the conditions in which a sectoral organization, to the extent that it offers its members a framework of rules relating to consent to the processing of personal data, must be qualified as joint controller, and established limits on the joint liability of such an organization.

Background

The CJEU explained that the judgment arose from a February 2, 2022 decision by the Belgian Data Protection Authority (Belgian DPA) which ordered Interactive Advertising Bureau Europe (IAB Europe) to bring its framework of Transparency & Consent Framework into compliance with the provisions of the General Data Protection Regulation (GDPR). IAB Europe appealed against this decision, raising doubts as to whether a Transparency & Consent String constitutes personal data and, if so, whether IAB Europe should be qualified as a data controller under the TCF concerning the treatment of the TC String. The Brussels Court of Appeal referred the matter to the CJEU for a preliminary ruling.

Findings of the Court

The CJEU confirmed that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of the GDPR. Where the information contained in a TC String is associated with an identifier, such as, inter alia, the IP address of the user's device, that information may make it possible to create a profile of that user and to identify them.

The CJEU also noted that IAB Europe must be regarded as a joint controller within the meaning of the GDPR, as it appears to exert influence over data processing operations when the consent preferences of users are recorded in a TC String and to determine, jointly with its members, both the purposes of those operations and the means behind them. Importantly, the CJEU caveated this by highlighting that, without prejudice to any civil liability provided for under national law, IAB Europe cannot be regarded as a controller, within the meaning of the GDPR, in respect of data processing operations occurring after the consent preferences of users are recorded in a TC String unless it can be established that that association has exerted an influence over the determination of the purposes and means of those subsequent operations.

IAB Europe and the Irish Council of Civil Liberties

IAB Europe welcomed the CJEU's ruling noting that it provides well-needed clarity over the concepts of personal data and (joint) controllership. In addition, the Irish Council of Civil Liberties noted that the CJEU ruling shows how broad the protection of personal data is in Europe and forces the industry to change profoundly.

You can read the press release here, the IAB Europe response here, the Irish Council of Civil Liberties response here, and the judgment here.