The IAB TCF goes ECJ
In the proceedings between IAB Europe and the Belgian Data Protection Authority (APD for short), the Belgian Market Court has handed down its much-awaited decision. Key questions concerning (joint-) controllership and what constitutes personal data in the ad tech sphere have been referred to the ECJ for clarification.
To recap: Earlier this year, the APD had issued a decision in which it found IAB Europe and the IAB TCF Standard which it stewards not being fully compliant with the GDPR. IAB Europe has been given the opportunity to remedy the findings and to provide the APD with an action plan on how to do so. While IAB Europe has complied with this request and presented the APD with an action plan for review, it has simultaneously challenged the APD decision in front of the Belgian Market Court.
Is the TC String personal data at all?
Only few expected the Market Court to deliver a sweeping victory to either side. Too complex are the legal issues involved. This is particularly true for the determination made by the APD that IAB Europe is a joint controller with all users of the IAB TCF. This allowed the APD to consider data processing activities of, in the view of the IAB Europe, unrelated third parties in its assessment of the IAB TCF. Further, much debate takes place around the question of whether or not the so-called "consent string", an alpha-numerical string of characters representing choices made regarding the processing of personal data on websites and apps, such as whether to allow personalised advertising, constitutes personal data under the GDPR.
?Both questions have now been forwarded to the ECJ. The way the Market Court has phrased its questions to the ECJ suggests that the Market Court is open to the idea that data may be personal data only to some of the actors.
领英推荐
All eyes on the ECJ
It is positive to see that the Market Court has decided to consult the ECJ on a number of issues, giving enough room for clarification on a host of issues subject to intense debate in the industry. This applies in particular to the question regarding the scope of any potential joint controllership. Since the ECJ's verdicts in Fashion-ID and Wirtschaftsakademie, debate has been fierce around how to delineate the scope of any potential joint controllership. This case may offer some clarity.
Lastly it is worth noting that the court also held that the APD did not follow proper diligence by accepting additional and later submissions by the complainants. This pertains especially to the assumption of cross border data processing but most importantly the determination that the TC-String is personal data.
Thus far there has been no explicit stay to the administrative proceedings, however an application to this end may be pending with the court.?
The press release of the APD can be found here .