The Belgian Court of Appeal Marktenhof has declared the transparency and consent management system (Transparency & Consent Framework, TCF) of the online advertising industry association IAB Europe to be unlawful. This follows a decision by the Belgian data protection authority GBA (Gegevensbeschermingsautoriteit). The ruling is likely to have an impact on tracking-based advertising in the EU.
"TC String" violates the GDPR
In its decision no. 21/2022 of February 2, 2022, the Belgian Data Protection Authority (GBA) declared that IAB Europe had violated essential provisions of the GDPR with the TCF (version 2.0) it had developed. The focus was on the so-called "TC String". This is a structured character string that is used to store user preferences for personalized advertising. The GBA classified the TC String as personal data and considered IAB Europe to be the (joint) controller. It imposed a fine of 250,000 euros and set a deadline of two months for a GDPR-compliant action plan.
The decision was taken as part of the One-Stop-Shop procedure with the support of other European supervisory authorities and had Europe-wide relevance.
IAB Europe lodged an appeal against the GBA's decision.
TCF decision before court of appeal
In an interim order ("tussenarrest"), the competent court of appeal "Marktenhof" in Brussels initially confirmed the formal admissibility of IAB Europe's appeal. However, a decision on the matter had not yet been made at that time.
The Market Court initially stayed the proceedings and referred two questions to the European Court of Justice (ECJ) for a preliminary ruling pursuant to Art. 267 TFEU. On the one hand, the Court of Appeal asked whether the so-called "TC String" - i.e. a structured character string for storing user consents and refusals - is to be classified as personal data within the meaning of Art. 4 No. 1 GDPR. On the other hand, the Marktenhof wanted to clarify whether an organization such as IAB Europe, which standardizes and specifies a technical framework for consent management, is to be regarded as a (joint) controller within the meaning of Art. 4 No. 7 GDPR, although it itself has no direct control over the specific processing operations.
This proposal was intended to create legal certainty for national data protection supervisory authorities and market participants. The classification of such industry-wide frameworks under data protection law has not yet been conclusively clarified either at European level or by case law.
ECJ rules on TC String and responsibility of IAB Europe
In its judgment of March 2024, the ECJ ruled on the two questions referred to it by the Market Court regarding the data protection qualification of TC String and the possible liability of IAB Europe.
TC Strings as personal data
First of all, the ECJ clarified that TC strings constitute personal data within the meaning of Art. 4 No. 1 GDPR. The decisive factor here is that this string, which from a technical perspective is merely coded preference information, can be linked to a specific or at least identifiable user by combining it with other data such as the IP address, cookie ID or device information. It therefore fulfills the criteria of identifiability. This interpretation corresponds to a broad definition of personal data, which also includes pseudonymous and technically transmitted information.
IAB Europe as (jointly) responsible
Furthermore, the ECJ ruled that a sectoral organization such as IAB Europe can be classified as a (joint) controller within the meaning of Art. 4 No. 7 GDPR. The Court emphasized that it is not necessary for the organization itself to process personal data directly in order to be classified as a controller. Rather, the decisive factor is whether it has a significant influence on the data processing operations by defining the means and purposes of processing.
This is a given, as IAB Europe sets the basic parameters for the processing of TC strings by designing, standardizing and enforcing the Consent Framework. It also coordinates the interaction of numerous market participants and therefore has a guiding and structuring role in the entire ecosystem. The fact that IAB Europe itself does not deliver advertising content or create individual user profiles is not decisive for its responsibility under data protection law.
Significance of the ECJ ruling
This landmark decision has a direct impact on all parties involved in the digital advertising market as well as other sectors in which industry-wide technical standards for data processing such as the TCF are applied. In particular, the ruling underlines that legal responsibility cannot be delegated or reduced to technical neutrality when an institution intervenes centrally in a system relevant to data protection.
IAB Europe as jointly responsible for TCF
Confirmation of the substantive legal view
On the basis of the ECJ ruling, the Market Court has now decided final decision on the appeal from IAB Europe. Although the decision no. 21/2022 of the GBA formally annulled due to procedural errorshowever:
- All substantive legal assessments of the JCC were confirmed.
- The Fine of 250,000 euros remains in place.
- The Court confirmed that the TC Strings personal data represent.
- IAB Europe will continue to operate as Jointly responsible for the processing of user preferences within the framework of the TCF.
Clarification on the OpenRTB component
However, the Marktenhof also made it clear that IAB Europe is not considered a (co-)controller for those processing operations that take place exclusively within the OpenRTB protocol. This is a Drawing the line between the standardization framework of the TCF and the practical implementation of individual real-time advertising campaigns made.
Reading tip: ECJ strengthens transparency - credit agencies must disclose decision-making processes
GDA decision on TCF with impact on real-time bidding
The decision has several Basic implications for the AdTech industry and for sector-specific standardization organizations:
- TC Strings as personal data: In future, market participants must include this data under the scope of protection of the GDPR and provide for corresponding legal bases and protective measures.
- Responsibility of sectoral organizations: Organizations such as IAB Europe, which set standards and technical rules, can be considered responsible under data protection law - even without direct access to or use of personal data.
- Clarity on the distribution of roles: The exclusion of IAB Europe's responsibility for OpenRTB processes signals that the focus is on the organizational areas of influence, not on the technical transfer itself.
Even though the original GBA proceedings were annulled due to formal deficiencies, the Marktenhof confirms fully in line with the legal opinion of the JCC and the ECJ. If other European data protection authorities follow this ruling, this could have an impact on the display of personalized advertising and cross-device tracking, as this primarily affects "real-time bidding" (RTB), in which advertisements are auctioned in real time.
The fact that the TC Strings constitute personal data and that their collection and transfer within the framework of the TCF must be regulated by a shared responsibility suggests that many RTB players must reassess their data protection roles and technical processes. In particular, the focus is on questions of consent effectiveness, purpose limitation, transparency and minimization in the automated auctioning of advertising space. The ruling should therefore indirectly lead to a reform or at least far-reaching adaptation of RTB processes - both technically and organizationally.
The GBA has already announced that it will analyze the reasons for the ruling in detail.
English 
German 
Italian 
French