Update Data Protection No. 131
Belgian Data Protection Authority Approves Action Plan of IAB Europe with respect to TCF 2.0 – Decision by the Court of Justice of the European Union still Pending
The Interactive Advertising Bureau Europe (“IAB”) had submitted a plan to the Belgian Data Protection Authority (BE DPA) setting out how it intended to bring the widespread Transparency and Consent Framework 2.0 (“TCF 2.0”) into compliance with the authority’s data protection requirements. This dispute is relevant for virtually all website operators which use an IAB Consent Management Platform (“CMP”) to obtain consents for tracking and marketing tools.
The Brussels-based authority approved IAB’s plan on January 11, 2023 and gave IAB six months to technically implement its specifically designed plan. In the parallel pending proceedings, the Belgian Market Court had previously stayed the proceedings and referred two questions on the interpretation of the GDPR to the Court of Justice of the European Union (CJEU).
Background and progress of the proceedings to date
The IAB is an advertising business organization that has set itself the goal of improving the effectiveness of online marketing. The TCF 2.0 is a widely used framework developed by the IAB that is intended to help companies to comply with the GDPR in their online advertising – in particular, by means of standardized consent management. In this context, the Transparency and Consent String (“TC String”) is also relevant, which is used to technically communicate the user’s consent and preferences.
The Belgian Data Protection Authority (whose jurisdiction is justified, as the IAB is also based in Belgium) had declared on February 2, 2022 that TCF 2.0 was partially incompatible with the GDPR after having received several complaints on this matter since 2019.
Administrative fine imposed on the IAB; referral to the CJEU
As a result of the decision, an administrative fine was imposed on the IAB and it was ordered to submit an action plan for the implementation of several corrective measures. You can find a more detailed explanation – of both the technical background information and the decision by the Belgian Authority – in our Data Protection Update No. 109.
The IAB appealed against the administrative fine before the Belgian Market Court. The Market Court stayed the proceedings in autumn 2022 and referred two questions to the CJEU for a preliminary ruling that were the basis of the authority’s decision (the interim judgement of the Market Court is available here, although sometimes only in the original in Dutch).
Firstly, the judges in Luxembourg are to answer whether the TC String constitutes personal data, and, secondly, it is to be decided whether the IAB can be seen as a (joint) controller for the processing of personal data in the context of the TCF 2.0 (both in relation to the TC String and also in relation to further processing). Alternatively, the parties which use the TCF 2.0 on their websites may be considered controllers. A decision by the CJEU is expected around autumn 2023 to early 2024.
What legal significance does the action plan have?
Notwithstanding the above, the IAB submitted an action plan to the Belgian Data Protection Authority in spring 2022, as requested, in order to correct the alleged GDPR violations. On January 11, 2023, the action plan was approved by the Belgian Data Protection Authority, and it therefore formally stated that the plan complies with its interpretation of the GDPR. The IAB now has six months to implement the proposed plan. It is also significant that, in accordance with Art. 60 (3) GDPR, this was coordinated across the Union; national data protection authorities of all EU Member States were therefore involved in the decision-making process and were able to contribute their views.
Even though the IAB is, of course, sticking to its original legal interpretation with regard to the pending decision by the CJEU, it declared pragmatically that it will “take any initiative to ensure that any future developments of the TCF 2.0 are sustainable.”
Outlook: The suspense continues
Especially for all website providers which use a CMP according to IAB TCF 2.0, approval of IAB’s action plan is a positive development. In relation to German data protection authorities, the IAB will adapt the TCF 2.0 in a way which satisfies the Belgian supervisory authority, which has exchanged views with the other data protection authorities beforehand. It can therefore be assumed that the Belgian approval will have a de facto effect throughout the Union. In this respect, the approval will also ensure greater legal certainty in Germany.
Nevertheless, the court proceedings in Luxembourg are still ongoing – in this respect, the “Sword of Damocles” of the pending CJEU judgement, which could contradict the authority’s decision, is hanging over the entire proceedings. Presumably, the CJEU will rule in accordance with its previous case law that the TC String is personal data and that the IAB is a joint controller under data protection law and therefore the Belgian Data Protection Authority was (and continues to be) in the right with its opinion of February 2022. This is likely to mean that the concept of joint controllership will continue to gain acceptance in the area of online marketing. Participants of the TCF 2.0 will then have to reach an agreement with the IAB on joint controllership; how such a contractual relationship will be structured by the IAB remains to be seen. However, a risk may arise from the fact that a claim for damages can be asserted against any of the joint controllers in accordance with Art. 82 GDPR.
We will keep you informed.