Belgium: Issued Court of Justice ruling determining that TC String information classifies as personal data and IAB Europe represents a joint controller under GDPR (Case C-604/22)

On 7 March 2024, the Court of Justice of the European Union (CJEU) issued its ruling in the case C-604/22 concerning an appeal against the Belgian Data Protection Authority (APD)'s administrative ruling regarding the alleged General Data Protection Regulation (GDPR) violation of IAB Europe's Transparency and Consent String (TC String). The CJEU determined that the TC String contains identifiable user information, thus constituting personal data under GDPR. The CJEU also determined that IAB Europe, a non-profit association representing digital advertising and marketing enterprises at the European level, must be considered a "joint controller" under GDPR. This ruling is based on IAB Europe's influence over data processing operations when user consent preferences are recorded in a TC String. Furthermore, the CJEU clarified that IAB Europe cannot be considered a controller for data processing operations occurring after the consent preferences are recorded unless it can be proven that the association has influenced the determination of the purposes and means of those subsequent operations. Previously, the APD imposed a fine of EUR 250'000 for non-compliance with the GDPR and ordered the deletion of all data held by the IAB and other recipients of the data. The APD has found that the TCF involves the collection and dissemination of personal user preferences and data without obtaining proper consent or lawful basis, constituting breaches of the GDPR on the grounds of lawful processing (Art.6) and the principles of lawfulness and fairness. The TCF is a mechanism for collecting user consent to data collection, advertising, and cookie use upon visiting websites. Following the APD decision, the data controllers and the website providing advertising space have to disclose if they are using the TCF framework.