On September 7, 2022, the Brussels Market Court adopted an interim decision in a case brought by IAB Europe, the sector organization for the digital marketing industry, against the Belgian Supervisory Authority.  The authority had fined IAB Europe alleging that its Transparency and Consent Framework (“TCF”) violates the GDPR and that the organization is a (joint) data controller for processing operations performed by the users of the standard, i.e., publishers and adtech vendors. Under the decision, IAB Europe was also required to present a work plan to remediate the alleged violations.

The Market Court decided that the Supervisory Authority violated the principle of due care in investigating the facts of the case and the allegations brought by the complainants.  The court supported the claim made by IAB Europe that the Supervisory Authority just took the allegations for granted without actually investigating them itself.  As a result, the court found its decision was not based on proven objective facts.

The Court did not address the merits of the case, but instead decided to refer questions to the CJEU in relation to the concept of personal data and data controller.

As a result of the referral, the court procedure has been suspended.  The consequences of the referral will be important for all Supervisory Authorities in the EU, especially those bound by the Belgian decision by virtue of Art. 60(6) GDPR.  As long as the CJEU has not pronounced itself on the fundamental points raised by the referred questions (nature of the data and responsibility of parties concerned), new enforcement actions against parties relying on the TCF will likely become more complicated.  A decision by the CJEU can easily take two years.  Moreover, as the Market Court did not assess the merits of the case and decided that the Supervisory Authority violated its duty of due care, even if the CJEU responds, the case may very well be returned to the Supervisory Authority for a second attempt.  A final decision on the matter is thus years off. Covington represents IAB Europe in this matter.

Reach out to Kristof Van Quathem for valuable insights, and related to questions on how this may impact your business.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.