The Belgian Court of Appeal Marktenhof has declared the transparency and consent management system (Transparency & Consent Framework, TCF) of the online advertising industry association IAB Europe to be unlawful. This follows a decision by the Belgian data protection authority GBA (Gegevensbeschermingsautoriteit). The ruling is likely to have an impact on tracking-based advertising in the EU. Advertising have.
"TC String" violates GDPR
In its decision no. 21/2022 of February 2, 2022, the Belgian Data Protection Authority (GBA) declared that IAB Europe, with the TCF (version 2.0) it had developed, had violated essential provisions of the GDPR had been violated. The focus was on the so-called "TC String". This is a structured character string with which user preferences for personalized Advertising are stored. The GBA classified the TC String as personal data and considered IAB Europe as (jointly) Responsible persons . It imposed a fine of 250,000 euros and set a deadline of two months for a GDPR-compliant action plan.
The decision was taken as part of the One-Stop-Shop procedure with the support of other European supervisory authorities and had Europe-wide relevance.
IAB Europe lodged an appeal against the GBA's decision.
TCF decision before court of appeal
In an interim order ("tussenarrest"), the competent court of appeal "Marktenhof" in Brussels initially confirmed the formal admissibility of IAB Europe's appeal. However, a decision on the matter had not yet been made at that time.
The Market Court initially stayed the proceedings and referred two questions to the European Court of Justice (ECJ) for a preliminary ruling pursuant to Art. 267 TFEU. On the one hand, the Court of Appeal asked whether the so-called "TC String" - i.e. a structured string of characters for storing user consents and refusals - could be considered a personal data within the meaning of Art. 4 No. 1 GDPR is to be classified as a controller. On the other hand, the Marktenhof wanted to clarify whether an organization such as IAB Europe, which standardizes and specifies a technical framework for consent management, can be considered a (joint) controller within the meaning of Art. 4 no. 7 GDPR. GDPR although it has no direct control over the specific processing operations.
This proposal was intended to create legal certainty for national data protection supervisory authorities and market participants. The classification of such industry-wide frameworks under data protection law has not yet been conclusively clarified either at European level or by case law.
ECJ rules on TC String and responsibility of IAB Europe
In its judgment of March 2024, the ECJ ruled on the two questions referred to it by the Market Court regarding the qualification of TC String under data protection law and the possible liability of IAB Europe.
TC Strings as personal data
First, the ECJ clarified that TC Strings personal data within the meaning of Art. 4 No. 1 GDPR represent. The decisive factor here is that this character string, which is technically just coded preference information, can be combined with other data such as the IP addressthe cookie ID or the device information can be associated with a specific or at least identifiable user. It therefore fulfills the criteria of identifiability. This interpretation corresponds to a broad definition of personal data, which also includes pseudonymous and technically transmitted information.
IAB Europe as (jointly) responsible
Furthermore, the ECJ ruled that a sectoral organization such as IAB Europe could be considered a (joint) controller within the meaning of Art. 4 No. 7 GDPR can be classified as a controller. The Court emphasized that in order to be classified as a controller, it is not necessary for the organization itself to be directly responsible. personal data processed. Rather, the decisive factor is whether it is defined by the means and purposes of the Processing significantly influence the data processing operations.
This is a given, as IAB Europe has set the basic parameters for the Consent Framework by designing, standardizing and enforcing it. Processing of the TC Strings. It also coordinates the interaction of numerous market participants and therefore has a guiding and structuring role in the entire ecosystem. The fact that IAB Europe itself does not deliver advertising content or create individual user profiles is not decisive for data protection responsibility.
Significance of the ECJ ruling
This landmark decision has a direct impact on all parties involved in the digital advertising market as well as other sectors in which industry-wide technical standards for data processing such as the TCF are applied. In particular, the ruling underlines that legal responsibility cannot be delegated or reduced to technical neutrality when an institution intervenes centrally in a system relevant to data protection.
IAB Europe as jointly responsible for TCF
Confirmation of the substantive legal view
On the basis of the ECJ ruling, the Market Court has now decided final decision on the appeal from IAB Europe. Although the decision no. 21/2022 of the GBA formally annulled due to procedural errorshowever:
- All substantive legal assessments of the JCC were confirmed.
- The Fine of 250,000 euros remains in place.
- The Court confirmed that the TC Strings personal data represent.
- IAB Europe will continue to operate as Jointly responsible for the Processing of user preferences within the framework of the TCF.
Clarification on the OpenRTB component
However, the Marktenhof also made it clear that IAB Europe is not considered a (co-)controller for those processing operations that take place exclusively within the OpenRTB protocol. This is a Drawing the line between the standardization framework of the TCF and the practical implementation of individual real-time advertising campaigns made.
Reading tip: ECJ strengthens transparency - credit agencies must disclose decision-making processes
GDA decision on TCF with impact on real-time bidding
The decision has several Basic implications for the AdTech industry and for sector-specific standardization organizations:
- TC Strings as personal data: In future, market participants must include this data in the scope of protection of the GDPR and the corresponding Legal basis and protective measures.
- Responsibility of sectoral organizations: Organizations such as IAB Europe, which set standards and technical rules, can be considered responsible under data protection law - even without direct access to or use of personal data.
- Clarity on the distribution of roles: The exclusion of IAB Europe's responsibility for OpenRTB processes signals that the focus is on the organizational areas of influence, not on the technical transfer itself.
Even though the original GBA proceedings were annulled due to formal deficiencies, the Marktenhof confirms fully in line with the legal opinion of the JCC and the ECJ. If other European data protection authorities follow this ruling, this could have an impact on the display of personalized Advertising and the cross-device Tracking Real-time bidding (RTB), in which advertisements are auctioned in real time, is particularly affected.
The fact that the TC Strings personal data and their collection and disclosure within the framework of the TCF by a Shared responsibility suggests that many RTB stakeholders need to reassess their data protection roles and technical processes. The focus is particularly on questions of consent effectiveness, Earmarking, Transparency and minimization in the automated auctioning of advertising space. The ruling should therefore indirectly lead to a reform or at least far-reaching adaptation of RTB processes - both technically and organizationally.
The GBA has already announced that it will analyze the reasons for the ruling in detail.
German 
English 
Italian 
French