EU ruling adds complexity and challenges to online advertising

Lauro Fava and Andre Walter of Pinsent Masons were commenting after the Court of Justice of the EU (CJEU) clarified how EU data protection law applies in the context of a mechanism that captures internet users’ preferences for online personalised advertising.

Fava said: “The ruling poses yet another challenge to the online advertising ecosystem, which keeps the internet free and encourages the dissemination of content.”

The case before the CJEU concerned a dispute that has arisen in Belgium between Belgium’s data protection authority (APD) and IAB Europe, an advertising industry body. The dispute revolves around IAB Europe’s Transparency and Consent Framework (TCF). In its ruling, the CJEU described the TCF as “a framework of rules consisting of guidelines, instructions, technical specifications, protocols and contractual obligations that enable both the provider of a website or application and data brokers or indeed advertising platforms to process lawfully the personal data of a user of a website or application”.

The TCF enables website operators to: request that visitors to their website consent to the processing of their personal data by third parties who deploy tracking technologies on the website for purposes relating to online advertising; provide site visitors with an opportunity to object to other data processing activity that does not depend on their consent but which is processed under the ‘legitimate interests’ ground for lawful personal data processing under the GDPR; and communicate the consents to the third parties.

User preferences are recorded through the consent management platform and this data is then encoded and stored in a ‘Transparency and Consent String’ (TC String). That information is then shared with data brokers and advertising platforms. Read alongside data collected through the use of cookies, the advertising platforms can match user preferences to specific IP addresses. This informs ads served to users via an instant and automated online auction system of user profiles for the purpose of selling and purchasing advertising space on the internet, known as ‘real-time bidding’. It also supports activities such as content personalisation and prevention of fraudulent advertising.

In 2022, the APD determined that there were shortcomings with the TCF from a data protection perspective. Among other things, it found failings in relation to the lawfulness of personal data processing facilitated through the TCF, with the level of specificity in the information that users are presented about how their data may be processed, as well as with data subjects’ ability to exercise their rights under data protection law.

The APD held IAB Europe responsible for the failings because it considered it to be acting as ‘controller’ of the relevant personal data, for the purposes of the EU General Data Protection Regulation (GDPR). However, IAB Europe challenged that view before the Court of Appeal of Brussels (Market Court), which then asked the CJEU for helping interpreting EU law to enable it to rule on the dispute.

In its ruling, the CJEU has confirmed that the ability to associate the data in the TC String with “an identifier”, such as an IP address, means that the information falls within the definition of ‘personal data’ under the EU GDPR, meaning the processing of that data is subject to the GDPR’s rules.

The CJEU said: “A string composed of a combination of letters and characters, such as the TC String (Transparency and Consent String), containing the preferences of a user of the internet or of an application relating to that user’s consent to the processing of personal data concerning him or her by website or application providers as well as by brokers of such data and by advertising platforms constitutes personal data … in so far as, where those data may, by reasonable means, be associated with an identifier, such as, inter alia, the IP address of that user’s device, they allow the data subject to be identified.”

The court said it does not matter that IAB Europe cannot access the data its members process under its rules – it is still classed as personal data – and it held that the fact IAB Europe cannot directly access the data does not absolve it of responsibilities for the data under the GDPR.

The CJEU considered that IAB Europe is a ‘joint controller’ of the data because it “exerts influence over the personal data processing at issue, for its own purposes, and determines, as a result, jointly with its members, the purposes and means of such processing”.

Fava said: “The CJEU noted that IAB Europe has a right to require its members to provide it with identifying information. It remains unclear if it could still be regarded as a controller of data if it was legally prevented, such as by means of a contractual prohibition, from accessing data needed to identify the data subjects.”

Walter said the judgment could have undesirable practical consequences.

“For IAB Europe, advertising vendors, and website operators who use TCF-compliant consent management platforms (CMPs), this will lead to increased complexity because these parties will need to put in place and operationalise joint controller arrangements between them,” Walter said. “This is particularly challenging given the number of parties involved in the online advertising ecosystem. It could also mean that websites who use TCF CMPs will need to provide even more extensive transparency notices relating to their processing of data for advertising purposes – i.e. longer cookies notices.”

Fava said the judgment could also “present additional challenges to any organisation seeking to establish an approved code of conduct or certification scheme under the GDPR”. The GDPR provides for the endorsement of industry-drafted codes of conduct that are "intended to contribute to the proper application" of the law. IAB Europe has expressed a desire for its TCF to operate as an approved GDPR code of conduct.

“The GDPR requires that industry organisations specify how compliance with the GDPR should be achieved via their codes of conduct, beyond merely requiring GDPR compliance,” Fava said. “There is a risk that these organisations could be considered joint controllers on the basis that they also exert influence over the personal data processing. This introduces an additional layer of responsibility for such organisations, who may be discouraged from developing and operationalising a code of conduct.”

Hielke Hijmans, chairman of the ADP’s litigation chamber, said: "We welcome the interpretation of the CJEU, which confirms our view that a structured string of characters capturing users' preferences is personal data, and that a sectoral standard-setting organisation such as IAB Europe is the (joint) controller of this personal data. By clarifying key concepts of the GDPR in this way, this ruling will have a positive impact on all data subjects in the European Union. The procedure before the Belgian Market Court may now resume.”

IAB Europe said it welcomed the ruling, which it said “provides well-needed clarity over the concepts of personal data and (joint) controllership, which will allow a serene completion of the remaining legal proceedings”.