8 minute read | May.07.2024
The Court of Justice of the European Union (CJEU) has made a landmark decision (7 March 2024, C-604/22) on the intricacies of adtech, personal data, and joint control against the background of the General Data Protection Regulation (GDPR). In clarifying several points that make it relevant beyond adtech, the ruling:
Are you processing data that you believe is anonymized, but a third party may have additional identifying information?
According to the CJEU, even if you have data that is not identifiable to an individual, the data may be "personal" if you have reasonable means to access data held by a third party that would make your data identifiable. This is true even if you do not actually obtain access to that other data.
Do you direct other companies to undertake advertising purposes on your behalf (even if you don’t share any data with them)?
If so, you may be considered a joint controller with those companies and thus need to revisit existing contracts. If they include a data processing agreement, or no data protection contract exists, you may need to conclude a joint controller agreement (JCA).
If you do need to conclude a JCA, make sure the limits of joint control are clearly defined as this may limit your responsibility; the CJEU has established that joint control does not exclude the existence of individual areas of responsibility of the parties.
The Facts of the Case
The case involves IAB Europe, a non-profit association representing the digital advertising sector in Europe. IAB Europe offers a Transparency & Consent Framework (TCF) to harmonize Real-Time Bidding (RTB) with GDPR compliance. RTB operates as an automated auction process, where advertising companies bid in real-time to display targeted ads to users based on a variety of signals, including, in many circumstances, personal data. The process occurs within milliseconds as a webpage loads, determining which ads the user will see.
The TCF contains technical specifications relating to processing data related to the user's preferences before any targeted ad is displayed. Those specifications describe how the user's consent is obtained by way of a Consent Management Platform (CMP). Upon a user's first visit to a site or app, a CMP pop-up solicits consent for data processing for advertising among other purposes. It gives the user the opportunity to object to other processing activities or types of personal data.
The user's choices are saved as a string of code called the "TC String," which, alongside a cookie, informs participating companies about the user's consent or objections. With the additional information contained in a cookie placed by the CMP on the user's device, it can be linked to the user’s IP address.
To enforce the uniform use of the system, IAB Europe imposes rules on its members regarding the technical implementation, storage, and dissemination of the information obtained this way. It monitors compliance with these rules and can exclude members from using the network in the event of violations.
Legal Questions to the CJEU
Following a number of complaints, the Belgian Data Protection Authority determined that IAB Europe acts as a data controller and initiated enforcement actions including a EUR 250.000 fine. IAB Europe argued that it does not combine the TC String with IP addresses, which would be necessary to identify the users and that it lacks access to data processed by its members.
Following the inquiry by a Belgian court, the CJEU had to decide on – in essence – the following questions:
1. A TC String is considered personal data.
The CJEU ruled that a string composed of letters and characters, such as a TC String, constitutes personal data.
Indeed, the CJEU argues that the GDPR defines "personal data" broadly as any information that relates to an identified or identifiable individual, whether directly or indirectly. This definition is purposefully broad, encompassing objective data, subjective opinions, and assessments, so long as they are connected to a person.
Thus, even if the TC String doesn't directly identify a user, it would represent individual consent preferences. When combined with an identifier, such as an IP address, it could facilitate the creation of a detailed user profile. The CJEU states that it did not matter that the TC String could not, in the hands of IAB Europe, be associated with an identifier since IAB Europe had reasonable means to access corresponding identifying information (e.g., IP address). Thus, the court concluded TC String was personal data to IAB Europe.
2. IAB Europe and the TCF members are joint controllers.
The CJEU ruled that anyone who has a say in processing may be considered a joint controller, even if they only provide partial or abstract instructions for processing operations and even if they do not have direct access to the data. The members of IAB Europe collected the TC String in accordance with the rules of the TCF and are thus considered controllers. Even though IAB Europe does not have direct access to identifying data, they jointly determine, to a certain extent, the purposes and means of the processing of such data and thus are deemed a joint controller.
The CJEU argues that the objective of the GDPR is to establish a high level of protection of fundamental rights. This means the concept of controller is also broadly defined to protect data subjects. This concept may concern several actors taking part in the processing, while joint controllership does not necessarily imply equal responsibility of the operators engaged in the processing. It is sufficient that the different operations are involved at different stages and to different degrees of that processing. The level of responsibility of each of them must be assessed in the light of all the relevant circumstances of the particular case. Such participation can result from a common decision by two or more entities or from converging decisions of those entities, as long as the decisions complement each other. However, a formal arrangement between both controllers is not necessary (Orrick note: but recommended for documentation purposes).
Since the rules of the TCF are mandatory regarding details that concern processing, such as how CMPs are required to collect user preferences and contents of the TC String, CJEU considers IAB Europe to exert influence on essential purposes and means of processing and thereby is a (joint) controller.
3. Joint control is limited to jointly determined processing.
The CJEU outlines that a party may be considered a joint controller if it co-determines the purposes and methods of data processing. The CJEU also differentiates between two stages of data handling within the context of IAB Europe and its members. First, the collection of consent preferences using the TC String under the TCF rules, and second, the further processing of data based on those preferences, such as sharing data with third parties or displaying targeted advertising.
IAB Europe's rules solely apply to the first stage, as it, subject to the verifications which are for the referring court to carry out, does not appear to involve IAB Europe in the subsequent data processing activities. Therefore, the CJEU only considers IAB Europe to be a joint controller for the first stage involving the TC String. To consider IAB Europe a controller for the later stages of data processing, it would need to be proven that IAB Europe influenced the determination of the processing's purposes and means. It is up to the referring court to examine all relevant factors to decide whether IAB Europe holds such influence in the specific case being considered.
The decision will return the case to a Belgian court, meaning the outcome has not yet been determined. Regarding adtech, it is likely in the future that TC Strings will be regarded as personal data. Accordingly, all requirements of the GDPR apply to these, e.g., about legal bases, information obligations, and data subject rights.
Furthermore, the participants in the TCF are to be understood as joint controllers with each other. This also applies to website operators that utilize vendors from the TCF’s Global Vendor List. Companies that use such partners should therefore make sure to conclude corresponding data protection agreements.
If you have questions, reach out to our authors (Christian Schröder, Sundeep Kapur, Robert Weinhold, and Tobias Stephan) or other members of the Orrick team.