Debunking all fake news about the CJEU’s ruling on Transparency & Consent Framework – Is the CJEU’s decision against the TCF or the vendors enrolled in the Vendor List?
After the publication on March 7, 2024 of the decision of the Court of Justice of the European Union (hereinafter, “CJEU” or the “Court”) regarding IAB Europe’s Transparency & Consent Framework (hereinafter, “TCF”)[1], several commentators have highlighted the “disruptiveness” of the decision, which some believe will have a significant impact on how adv auctions are designed and the landscape of programmatic advertising.
But is it really so? Or, on the contrary, has the Court merely confirmed its consistent interpretation of the definition of personal data and of the definition of (joint)controller(s)?
With this article, we will attempt to clarify the topic, emphasizing that the majority of the rulings by the CJEU in this judgment are nothing but confirmations of what has already been decided in previous cases.
Context of the decision
First of all, it is necessary to clarify the context in which the decision of the CJEU was issued and understand what the TCF is: a framework that provides a standardized way for publishers, digital market players and advertisers to obtain and manage user consent for the use of their personal data[2]. Another point of clarification is that the TCF was not created (nor is it solely managed) only by IAB Europe, which is a trade association that represents the digital advertising industry in Europe.
The TCF is a voluntary standard and a self-regulatory effort by digital market players who actively collaborate in its functioning; it is intended for use by three categories of stakeholders (i) publishers, (ii) vendors and (iii) CMPs (Consent Management Platforms)[3], and it’s open to all such stakeholders who want to use the TCF – irrespective of whether they are members of IAB Europe.
The CJUE’s decision is not against the TCF, nor against the members participating to the TCF: the decision was issued after the hof van beroep te Brussel, (that is the Court of Appeal) referred two questions to the CJEU for a preliminary ruling.
The case started after the Belgian Data Protection Authority (hereinafter, “APD”) issued on 2 February 2022 a decision on IAB Europe and the TCF, through which it identified IAB Europe as a (joint) data controller for the processing of TC String (digital signals containing user preferences the APD considered to be personal data) as well as for the subsequent processing of personal data in the context of the TCF[4].
The ADP’s decision was appealed before the Market Court (Court of Appeal of Brussels) by IAB Europe on 4 March 2022. On 7 September 2022, the Market Court referred preliminary questions to the CJEU and suspended its deliberation on the merits of the case.
With the decision dated 7 March 2024, the CJEU rendered its judgement, allowing the proceeding to resume before the Belgium Market Court, which will have to carry out all the verifications indicated by the CJEU.
Is that true that the CJEU ruled that the TC String is personal data?
It is not so simply as it seems to appear (and “definitive” as many have prematurely asserted). Firstly, it is fundamental clarifying which was the question that the Belgian court referred to the CJEU. Specifically, the referring court asked if «Article 4(1) of the GDPR must be interpreted as meaning that a string composed of a combination of letters and characters, such as the TC String, containing the preferences of a user of the internet or of an application relating to that user’s consent to the processing of personal data concerning him or her by website or application providers as well as by brokers of such data and by advertising platforms, constitutes personal data within the meaning of that provision, where a sectoral organisation [i.e., IAB Europe] has established the framework of rules under which that string must be generated, stored or disseminated and the members of such an organisation have implemented such rules and thus have access to that string.».
Moreover, the Brussels Court of Appeal also «wishes to ascertain whether, for the purpose of answering that question, it is important, in the first place, for that string to be associated with an identifier, such as, inter alia, the IP address of that user’s device, allowing the data subject to be identified, and, in the second place, for such a sectoral organisation to have the right to access directly the personal data which are processed by its members under the framework of rules that it has established.»
As the CJEU reiterated once again, the CJEU’s case-law on Directive 95/46/EC is also applicable, in principle, to the Reg. UE 2016/679 (hereinafter, “GDPR”), as the «the relevant provisions of [GDPR] have essentially the same scope as that of the relevant provisions of [Directive 95/46/EC]»[5].
According to several rulings of the CJEU, for the interpretation of a provision of a European Union law, account must be taken not only of the formulation but also of the context in which the provision is inserted, as well as the objectives and purposes pursued by the act of which it is a part[6].
In this perspective, the CJEU recalls that pursuant to Article 4, paragraph 1 of the GDPR, personal data is defined as «any information relating to an identified or identifiable natural person». This provision further specifies that «an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person».
According to the Court, the use of the phrase «any information» in this definition reflects the Union legislator’s intention to give a broad meaning to this notion. Said definition thus potentially encompasses all types of information, both objective and subjective, in the form of opinions or assessments, provided that they «relate to» the data subject[7].
In this regard, the CJEU has declared that information concerns an identified or identifiable natural person if, by reason of its content, purpose, or effect, it is connected to an identifiable person[8].
Furthermore, regarding the identifiability of a person, it follows from the wording of Article 4, paragraph 1 of the GDPR that an identifiable person is considered to be one who can be identified not only directly but also indirectly. The fact that the European legislator has specified «indirectly» indicates that, to qualify information as personal data, it is not necessary for that information alone to enable the identification of the data subject[9].
On the contrary, taking into account the definition of pseudonymization (as provided for in Article 4, paragraph 5 of the GDPR[10]) and Recital 26 of the GDPR[11], personal data that could be attributed to a natural person through the use of additional information must be considered information about an identifiable natural person[12].
Recital 26 of the GDPR also considers that to establish the “identifiability” of a person, it is appropriate to consider «all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly». This wording suggests that for data to be classified as personal data under the GDPR, it is not required that all information enabling the identification of the data subject be possessed by a single person[13].
Consequently, the notion of personal data not only encompasses data collected and stored by the data controller but also includes all information resulting from the processing of personal data concerning an identified or identifiable natural person[14].
In the case analysed by the CJEU, as submitted to it by the Brussels Court of Appeal, the TC String is a string composed of a combination of letters and characters, containing a user’s preferences regarding their consent to the processing of personal data concerning him/her or his/her possible objection to processing such data based on legitimate interests by TCF’s participants.
Once again, it is necessary to clarify the context and how the TC String is composed[15] by publishers and the CMPs. The TC String can be up to 320 characters and there are three distinct TC String segments that are joined together on a “dot” character. They are (i) the core vendor transparency and consent details, (ii) disclosed vendors, and (iii) publisher purposes transparency and consent for their own data uses.
However, even if a TC String, in itself, did not contain elements allowing for the direct identification of the data subject, it would still remain the fact, firstly, that it contains the individual preferences of a specific user regarding his/her consent to the processing of personal data concerning him/her, to the extent that such information «relates to a natural person» pursuant to Article 4, paragraph 1 of the GDPR.
Secondly, the Court noted that when the information contained in a TC String is associated with an identifier, such as the IP address of the user’s device, it can allow for the creation of a profile of that user and effectively identify the person specifically concerned by such information.
Consequently, since associating the TC String with additional data (especially the IP address of a user’s device or other identifiers) enables the identification of that user, according to the CJEU it must be considered that the TC String contains information regarding an identifiable user and therefore constitutes personal data, pursuant to Article 4, paragraph 1 of the GDPR, which is corroborated by Recital 30 of the GDPR[16], which explicitly refers to such a situation[17].
According to the CJEU, the said interpretation cannot be questioned by the mere circumstance that IAB Europe could not combine the TC String itself with the IP address of a user’s device and would not have the possibility to directly access the data processed by TCF’s members. Indeed, as already established by previous judgment of the CJEU (such as the «Breyer» case, C‑582/14), such a circumstance does not prevent a TC String from being classified as «personal data».
Furthermore, from the documents available to the Court, and from the APD’s decision dated February 2, 2022, the Court stated that it emerges that the members of the TCF, upon request from IAB Europe, are required to provide all information enabling IAB Europe to identify the users whose data are subject to a TC String.
According to the CJEU, it therefore appears, subject to the verifications that it is for the Brussels Court of Appeal to make in this regard, that IAB Europe has reasonable means allowing it to identify a specific natural person based on a TC String, thanks to the information that organizations participating in the TCF are required to provide to IAB Europe (in line with what is specified under Recital 26 of the GDPR).
From the foregoing, it follows that «a string composed of a combination of letters and characters, such as the TC String, containing the preferences of a user of the internet or of an application relating to that user’s consent to the processing of personal data concerning him or her by website or application providers as well as by brokers of such data and by advertising platforms constitutes personal data within the meaning of that provision in so far as, where those data may, by reasonable means, be associated with an identifier, such as, inter alia, the IP address of that user’s device, they allow the data subject to be identified.»[18].
It is irrelevant in this regard that IAB Europe, without external contributions (that IAB Europe has the right to demand), cannot access the data processed by TCF’s members within the rules established by IAB Europe or combine the TC String with other identifiers, such as the IP address of a user’s device[19].
Is IAB Europe (joint)data controller for the processing of TC String in the context of the TCF?
The second question referred to the CJEU was related to the interpretation of article 4, paragraph 7 of GDPR. Specifically, the referring court asked if that provision «must be interpreted as meaning that:
– first, a sectoral organisation, in so far as it proposes to its members a framework of rules that it has established relating to consent to the processing of personal data, which contains not only binding technical rules but also rules setting out in detail the arrangements for storing and disseminating personal data relating to such consent, must be classified as a ‘controller’ within the meaning of that provision, and whether, for the answer to that question, it is relevant that such a sectoral organisation itself have direct access to the personal data processed by its members under those rules;
– second, any joint controllership of that sectoral organisation extends automatically to the subsequent processing of personal data carried out by third parties, such as website or application providers, with regard to users’ preferences for the purposes of targeted online advertising.».
The Court started the analysis of the second question by considering GDPR’s objective: ensuring an «high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data» (as protected under Article 8, paragraph 1 of the Charter of Fundamental Rights of the European Union and Article 16, paragraph 1 of TFEU)[20]. Considering that, article 4, paragraph 7 of the GDPR defines broadly the concept of «controller» to ensure «effective and complete protection of data subjects»[21].
Moreover, the said definition clarifies that the controller, by determining «the purposes and means of the processing of personal data», can act «alone or jointly with others»[22]. Acting with others does not necessarily imply that each (joint)controller has the same responsibility of the others involved in the processing[23].
Since when interpreting the Directive 95/46/EC, the Court recognised that the (joint)controllers may be involved in different step and to different degrees of the personal data processing, and joint controllership does not require each of the joint controllers to have access to the personal data concerned[24].
To verify the presence of a joint controllership situation, it is necessary to examine whether the determination of purposes and means – a prerogative of the data controller – is within the purview of more than one entity. When determining the purposes and means of processing, joint controllers must participate together, and this can occur either (i) through a common decision or (ii) through converging decisions, where the decisions of the joint controllers complement each other and are necessary for the existence of the processing itself, such that without one, the processing would not be possible, and the processing of each joint controller is inseparable and inextricably linked to that of the other joint controller(s).
Joint participation through a common decision implies the adoption of a decision and a shared intention to adopt such decision, based on the most common interpretation of the term «jointly» as per art. 26 of the GDPR. Conversely, the situation of joint participation through converging decisions stems particularly from the CJEU jurisprudence on the concept of joint controllership. Decisions can be considered converging on purposes and means if they complement each other and are necessary for the processing to take place, such that they have a tangible impact on the determination of the purposes and means of processing[25].
In the case referred to the Court, it must be ascertained whether IAB Europe may be regarded as a joint controller for the purposes of Article 4(7) and Article 26(1) of the GDPR and, as the CJEU states, «it is therefore necessary to assess whether, having regard to the particular circumstances of the case at issue, IAB Europe exerts influence over the processing of personal data, such as the TC String, for its own purposes, and determines, jointly with others, the purposes and means of such processing»[26].
According to the Court, taking into account the fact that the TCF «aims, in essence, to promote and enable the sale and purchase of advertising space on the internet by such operators [which participate in the online auctioning of advertising space]», it appears – subject to the verification that shall be made by the Brussel Court – that «IAB Europe exerts influence over the personal data processing operations at issue in the main proceedings, for its own purposes, and determines, as a result, jointly with its members, the purposes of such operations»[27].
On the other hand, considering the means of the processing, the Court noted that IAB Europe established «technical specifications relating to the processing of the TC String» (how consent management platforms are required to collect users’ preferences, how such preferences must be processed in order to generate a TC String, content of the TC String as well as its storage and sharing)[28].
Subject to the verifications which are for the referring court to carry out, the Court concluded that IAB Europe must be regarded as «exerting influence over the personal data processing operations at issue in the main proceedings, for its own purposes, and determines, as a result, jointly with its members, the means behind such operations», and for these reasons this organization must be considered as a joint controller, regardless of the fact that it does not have access to the personal data processed[29].
Is IAB Europe (joint)data controller for the subsequent processing of personal data in the context of the TCF?
Closing in on the most interesting point of the decision, having stated that IAB Europe may be considered as joint controller considering that it exerts influence over the personal data processing under the TCF, for its own purposes, and determines, as a result, jointly with its members, the purposes and means of such processing, it must be assessed whether such joint controllership extend to the subsequent processing of personal data carried out by TCF’s participants.
In this regard, the CJUE clarifies that «it can be ruled out that any joint controllership of that sectoral organisation extends automatically to the subsequent processing of personal data carried out by third parties, such as website or application providers, with regard to users’ preferences for the purposes of targeted online advertising»[30].
As remembered by the EDPB’s Guidelines 7/2020, the concept of data controller may be linked to a single processing operation or to a series of operations. In practice, this could mean that the control exercised by a particular entity may extend to the entirety of the processing in question, but it could also be limited to a specific phase thereof: a processing of personal data involving multiple parties can be divided into several processing operations, each of which might be considered a controller, i.e., the entity determining the purposes and means for the processing portion under its responsibility[31].
In the case concerning IAB Europe, according to the CJEU, a distinction must be made between:
(i) the processing of personal data carried out by participants in the TCF, such as website or mobile app publishers, when they record user preferences in a TC String according to the rules established by IAB Europe; and
(ii) the subsequent processing of personal data carried out by these operators as well as third parties based on such preferences, such as transmitting this data to third parties or delivering personalized advertising to users.
According to the CJEU, pending verification by the Belgian referring court, there is no evidence that the subsequent processing involves the participation of IAB Europe. Consequently, automatic liability of IAB Europe, together with these operators as well as other third parties, for the processing of personal data based on user preference data contained in a TC String, must be excluded.
Only if it is demonstrated that IAB Europe exercises influence over the determination of the purposes and methods of the subsequent processing, can IAB Europe also be considered a controller of such subsequent processing. This verification will be the responsibility of the referring court[32].
Final considerations
To conclude, having clarified the context of the CJEU’s decision and connected it to the pertinent references to the TCF and its operational environment, , we can conclude that the Court did not rules anything about the TCF’s functioning, nor the TCF’s participants. Consequently, it is not true that consent popups are illegal, nor that the TCF has been judged illegal.
As IAB Europe clarifies «There is therefore nothing in the CJEU ruling that could be viewed as even remotely questioning the legality of consent prompts or prohibiting their use by the digital ecosystem to comply with legal requirements under the EU’s data protection framework. The CJEU ruling furthermore does not examine whether any activities of IAB Europe or TCF participants could be deemed any GDPR breaches»[33].
Having received the preliminary ruling by the CJEU, the Belgian Court of Appeal will now resume the case, carry out all the verifications indicated by the CJEU and parties’ arguments will be examined according to the clarifications received.
In the meantime, IAB Europe confirmed that «changes to the TCF will be limited and can be effected quickly», considering that the amendments necessary in order to consider the TC String as a personal data were already proposed as part of an Action Plan requested by the APD in the decision of February 2022, and submitted to the APD on 1 April 2022, then validated by the latter on 11 January 2023 [34].
The implementation period to execute the Action Plan submitted by IAB Europe was voluntarily suspended by the APD, until a final ruling is rendered on the appeal before the Belgian Market Court. As specified by IAB Europe, however, «pending the final ruling from the Belgian Market Court, IAB Europe has moved forward with certain iterations to the TCF that were included in the action plan and less impacted by the CJEU procedure, as well as additional measures to extend the compliance functionality of the TCF (see here the launch announcement of TCF v2.2).»[35].
[1] Judgment of the Court of 7 March 2024, IAB Europe, C‑604/22, EU:C:2024:214.
[2] For any information on the TCF, visit the page “TCF Supporting Resources”.
[3] For the definitions of the three categories of stakeholders, please consult the “IAB Europe Transparency & Consent Framework Policies” available at the following link.
[4] The decision can be found here. More information about the case can be found on IAB Europe’s websites, such as by consulting the «FAQ: APD DECISION ON IAB EUROPE AND TCF» last updated March 2024, issued by IAB Europe and available at the following link.
[5] IAB Europe, C‑604/22, paragraph 33. See, by analogy, judgment of 17 June 2021, M.I.C.M., C-597/19, EU:C:2021:492, paragraph 107 and judgment of 12 November 2020, Sonaecom, C-42/19, EU:C:2020:913, paragraph 29.
[6] IAB Europe, C‑604/22, paragraph 34. By analogy, refer to judgment of 22 June 2023, Pankki S, C 579/21,EU:C:2023:501, paragraph 38 and the case-law cited.
[7] Judgment of the Court of 4 May, 2023, Österreichische Datenschutzbehörde e CRIF, C‑487/21, EU:C:2023:369, paragraph 23, and the case-law cited.
[8] Österreichische Datenschutzbehörde and CRIF, C‑487/21, paragraph 24, as well as the case-law cited therein.
[9] See, by analogy, the judgment of the Court of 19 October 2016, Breyer, C‑582/14, EU:C:2016:779, paragraph 41.
[10] According to art. 4, paragraph 5, of GDPR, «pseudonymisation» means «the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person».
[11] According to which: «The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.».
[12] Judgment of the Court of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraph 58.
[13] See, by analogy, Breyer, C‑582/14, paragraph 43.
[14] Pankki S, C‑579/21, paragraph 45.
[15] See «Transparency and Consent String with Global Vendor & CMP List Formats» available at the following link, and paragraph «TC String Format» where are indicated some examples of TC Strings and how they are composed (e.g. “COw4XqLOw4XqLAAAAAENAXCAAAAAAAAAAAAAAAAAAAAA.IFukWSQgAIQwgI0QEByFAAAAeIAACAIgSAAQAIAgEQACEABAAAgAQFAEAIAAAGBAAgAAAAQAIFAAMCQAAgAAQiRAEQAAAAANAAIAAggAIYQFAAARmggBC3ZCYzU2yIA.QFukWSQgAIQwgI0QEByFAAAAeIAACAIgSAAQAIAgEQACEABAAAgAQFAEAIAAAGBAAgAAAAQAIFAAMCQAAgAAQiRAEQAAAAANAAIAAggAIYQFAAARmggBC3ZCYzU2yIA.YAAAAAAAAAAAAAAAAAA”).
[16] Recital 30 of GDPR states «Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.».
[17] IAB Europe, C‑604/22, paragraphs 42 et subsequent.
[18] IAB Europe, C‑604/22, paragraph 51.
[19] IAB Europe, C‑604/22, paragraph 50.
[20] Judgment of the Court of 4 May 2023, Bundesrepublik Deutschland (Court electronicmailbox), C‑60/22, EU:C:2023:373, paragraph 64.
[21] Judgment of the Court of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein, C‑210/16, EU:C:2018:388, paragraph 28.
[22] Joint controllership is then regulated according to art. 26, paragraph 1 of GDPR.
[23] See paragraph 58 of the Decision: «the existence of joint controllership does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data.».
[24] See «Guidelines 07/2020 on the concepts of controller and processor in the GDPR» of the European Data Protection Board , paragraphs 54 et subsequent. See also Wirtschaftsakademie Schleswig-Holstein, C‑210/16, paragraph 38, as well as Judgement of the Court of 10 July 2018, Jehovan todistajat , C‑25/17,EU:C:2018:551, paragraphs 66 and 69.
[25] IAB Europe, C‑604/22, paragraph 59.
[26] IAB Europe, C‑604/22, paragraph 61.
[27]IAB Europe, C‑604/22, paragraphs 62, 63 and 64.
[28] IAB Europe, C‑604/22, paragraph 66.
[29] IAB Europe, C‑604/22, paragraphs 68 and 69.
[30] IAB Europe, C‑604/22, paragraph 70.
[31] Guidelines 7/2020, par. 2.1.5. See also, Judgment of the Court of 29 July 2019, Fashion ID, C‑40/17, EU:C:2019:629, paragraph 74.
[32] IAB Europe, C‑604/22, paragraphs 74, 75 and 76.
[33] IAB Europe, «FAQ: APD DECISION ON IAB EUROPE AND TCF», last updated March 2024.
[34] IAB Europe, «European Court Ruling on IAB Europe v APD: Clearing the Fog», dated 8 March 2024, available at the following link.
[35] IAB Europe, «FAQ: APD DECISION ON IAB EUROPE AND TCF», last updated March 2024.