On March 7, 2024, the CJEU rendered its judgement in the IAB Europe case (C-604/22).   The case relates to role of IAB Europe, a sector organization, in its Transparency and Consent Framework (“TCF”) used by companies to record the GDPR consent granted (or not granted) by a user and to document compliance with their GDPR transparency obligations.  The framework is widely used in digital advertising, including in real-time bidding scenarios; below, we set out the court’s three main findings.

First, the Court decided that a code generated to record the end-user’s consent choice and document the GDPR’s transparency obligation – the so-called TC String – is personal data, because it can be linked to the end-user.  The Court suggests that the TC String is also personal data for IAB Europe because it has reasonable means to identify the end-user, as it can compel TCF users to provide data.  However, this is an erroneous assumption because IAB Europe does not in fact receive, or have the right to receive, this data from TCF users.

Second, the Court decided that IAB Europe, as a sector organization which created the TCF standards (but does not itself receive personal data from TCF users or engage in digital advertising), is a joint-controller with the users of the TCF in respect of the creation and use of the TC String.  The Court holds that the TCF serves to foster digital advertising and that IAB Europe, as a digital advertising sector organization, appears to have an own interest in the processing and therefore jointly determines the purpose of processing.  This is a particularly broad interpretation of the phrase “determining the purpose of the processing”, as the interest pursued (that is, the “purpose of the processing”) can apparently be very abstract.  This may be relevant for many sectoral organizations and standard-setting bodies, and could affect their ability to develop standards.  In addition, by setting a technical standard, IAB Europe would also have determined the “means” of the processing.  The Court sets out general principles but emphasizes that the referring court, the Brussels Market Court, must verify the underlying facts.

Finally, the Court decided that IAB Europe is not a joint controller for the processing that takes place on the basis of the TC String (i.e., the processing for which the TC String documents consent).  The Court points out that it is not apparent that IAB Europe is involved in this processing and that it can therefore not automatically be considered to be the controller.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.