2024 March 7
Judges O Spineanu-Matei, JC Bonichot, S Rodin, LS Rossi (Rapporteur)
Advocate General T Ćapeta
The claimant was a Belgian non-profit association which represented undertakings in the digital advertising and marketing sector at European level (“the sectoral organisation”). Its members were undertakings such as publishers, e-commerce and marketing undertakings which generated significant income through the sale of advertising space on websites or applications. The organisation drew up a transparency and consent framework (“TCF”) of rules intended to ensure that the processing of personal data of a user of a website or application was in compliance with Parliament and Council Regulation (EU) 2016/679 (the General Data Protection Regulation or “GDPR”) when those operators used the “OpenRTB protocol” for “Real Time Bidding”—an instant, automated online auction system of user profiles for the purpose of selling and purchasing advertising space on the internet. The TCF facilitated the recording of users’ preferences, which were subsequently encoded and stored in a “transparency and consent string” (“TC String”), composed of a combination of letters and characters. The TC String was shared with personal data brokers and advertising platforms participating in the OpenRTB protocol, so that they knew to what the user had or had not consented. A cookie was also placed on the user’s device which, when combined with the TC String, could be linked to that user’s IP address. Following a number of complaints against the claimant organisation, the defendant, the Belgian Data Protection Authority, ordered the organisation, as data controller, to bring into conformity with the GDPR the processing of data carried out in the context of the TCF. The claimant organisation challenged that decision before the Belgian Court of Appeal on the ground, inter alia, that it did not act as the controller of any personal data since only other participants in the TCF could combine the TC String with an IP address to convert it into an item of personal data, and that it could not access the data processed in that context by its members. The court questioned whether a TC String, be it combined with an IP address or not, constituted “personal data” under article 4(1) of the GDPR, defined as information relating to an identified or identifiable person. If so, the court questioned whether the organisation was to be classified as a “joint controller” of such personal data, in particular with regard to the processing of the TC String, for the purposes of articles 4(7) and 26(1) of the GDPR which together defined “joint controller” as two or more persons or bodies that determined the purposes and means of the processing of personal data. In those circumstances, the Belgian court stayed the proceedings and referred to the Court of Justice of the European Union for a preliminary ruling the questions, in essence, whether: (i) a “transparency and consent string”, such as that in issue, constituted “personal data” within the meaning of article 4(1) of the GDPR; and (ii) a sectoral organisation, such as the claimant, could be regarded as a “joint controller” for the purposes of articles 4(7) and 26(1) of the GDPR.
On the reference—
Held, (1) according to decided Court of Justice case law, the concept of “personal data” covered all information resulting from the processing of personal data relating to an identified or identifiable person. It followed that, in so far as a transparency and consent string, such as that the TC String in issue, was composed of a combination of letters and characters, along with additional data, including the IP address of a user’s device or other identifiers which allowed that user to be identified, it constituted “personal data” within the meaning of article 4(1) of Regulation 2016/679 (the GDPR). Subject to verification by the referring court, the claimant organisation appeared to have reasonable means which allowed it to identify a particular person from a TC String on the basis of the information which its members and other organisations participating in the transparency and consent Framework (“TCF”) were required to provide to it. It was irrelevant that an organisation such as the claimant could neither access the data that were processed by its members under the TCF rules nor combine the TC String with other identifiers, such as the IP address of a user’s device. Accordingly, a transparency and consent string, such as the TC String, containing the preferences of a user of the internet or of an application relating to that user’s consent to the processing of their personal data by a website or application provider, by a broker of such data or by an advertising platform, constituted “personal data” within the meaning of article 4(1) of the GDPR, in so far as the data allowed the data subject to be identified (judgment, paras 41, 45, 46, 49–51, operative part, para 1).
(2) Following decided Court of Justice case law, a natural or legal person who exerted influence over the processing of personal data, for their own purposes, and who participated, as a result, in the determination of the purposes and means of that processing, could be regarded as a “controller” within the meaning of article 4(7) of the GDPR. Subject to verification by the referring court, an organisation such as the claimant appeared to exert influence over the personal data processing operations for its own purposes and determined, jointly with its members, the purposes of, and the means behind, such operations. The claimant, therefore, had to be regarded as a “joint controller” for the purposes of articles 4(7) and 26(1) of the GDPR. Further, in the present case, there was a distinction between the processing of personal data carried out by the members of the claimant organisation, namely website or application providers and data brokers or advertising platforms, when the consent preferences of the users concerned were recorded in a TC String in accordance with the TCF rules, on the one hand, and the subsequent processing of personal data carried out by those operators and by third parties on the basis of those preferences, such as the transmission of the data to third parties or the offering of personalised advertising to those users, on the other hand. It followed that, an organisation such as the claimant could be regarded as a controller in respect of such subsequent processing only where that organisation had exerted an influence over the determination of the purposes and means of that processing. Accordingly, a sectoral organisation, in so far as it proposed to its members a framework of rules relating to consent to the processing of personal data, which contained not only binding technical rules but also rules setting out the detailed arrangements for storing and disseminating personal data relating to such consent, was a “joint controller”, within the meaning of articles 4(7) and 26(1) of the GDPR, where it exerted influence over the personal data processing in issue, for its own purposes, and thereby determined, jointly with its members, the purposes and means of such processing (judgment, paras 57, 64, 68, 70, 74, 76, 77, operative part, para 2).
P Craddock and K Van Quathem for the claimant sectoral organisation.
E Cloots, J Roets and T Roes for the Data Protection Authority, Belgium.
F Debusseré and R Roex, for the interested parties.
J Schmoll and C Gabauer, agents, for the Austrian Government.
A Bouchagiar and H Kranenborg, agents, for the European Commission.