10 Jul The IAB Europe judgment and the scope of joint controllership: prevalence of the “means” over the “purposes”?

Authors: Giulio Monga, Miriam Andrea Fadda, Andrea Strippoli

IAB Europe and the importance of the Transparency & Consent Framework (“TCF“) for Real Time Bidding systems

IAB Europe is a Belgium-based association that represents companies in the advertising and digital marketing industry on a European level. Its members include publishers and other companies active in e-commerce or marketing, as well as national trade associations. Among the initiatives undertaken by IAB Europe is the development of the TCF. The TCF is a framework of standards consisting of guidelines, instructions, technical specifications, protocols and contractual obligations, which should enable websites, application providers, data brokers or advertising platforms adopting it to process users’ personal data in accordance with EU Regulation 2016/679 (GDPR) in the context of RTB activities.

RTB is an instant and automated online auction system of user profiles, aimed at buying and selling advertising space on the Internet. When a user consults a website or an application containing advertising space, companies, data brokers and advertising platforms can submit real-time bids to obtain, through an automated auction system based on algorithms, the given advertising space, on which targeted advertisements will be shown based on the user’s profile. This last feature constitutes the most relevant aspect of RTB, both from a commercial and a data protection perspective.

With regard to privacy, it is crucial to note the need to obtain the user’s prior consent before they can view targeted advertisements based on their preferences. This consent is obtained through a special Consent Management Platform (“CMP”), which each user should be able to view when consulting a website or application for the first time. In this context, the TCF makes it possible to keep track of user preferences, which are encoded and stored in a string consisting of a combination of letters and characters called the Transparency and Consent String (“TC String”). The TC String is shared with brokers and advertising platforms so that they know what the user has consented to and objected to. Furthermore, through the CMP, a cookie (euconsent-v2) is installed on the user’s device. When associated with the TC String, it can be correlated with the IP address of the data subject, thus allowing their identification.

IAB Europe as joint controller of the data relating to the preferences of the users

After confirming the nature of “personal data” of the TC String,[1] the Court of Justice of the European Union (judgement of 7 March 2024)[2] addressed the role played by IAB Europe in the processing of user preference data described above, taking into account the notion of “joint controller”.

The Court first found that according to the GDPR’s general objective of ensuring a high level of protection for the fundamental rights and freedoms of natural persons, the GDPR provides for a broad concept of “controller”.[3] Therefore, a natural or legal person which exerts influence over the processing of personal data, for his, her or its own purposes, and which participates, as a result, in the determination of the purposes and means of that processing may be regarded as a controller.

The Court then went on to examine the notion of “joint controllership” set forth in Article 26 GDPR. In particular, also on the basis of previous case law,[4] the Court reiterated how the existence of joint controllership does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees. This requires that their respective level of responsibility must be assessed in the light of all the relevant circumstances of the particular case. The Court also confirmed the important principle that the existence of a joint controllership does not require that each joint controller has access to the personal data concerned. This principle is relevant to the case at stake, since IAB Europe does not have access to the data – i.e., the TC Strings and related IP addresses – which are only available for consultation by its TCF members.

Examining the position of IAB Europe in detail, the Court held that the association, by making available to its members a framework of rules such as the TCF, it intended to encourage the buying and selling of advertising spaces by operators who comply with it and in doing so influences, for the purposes of its own making, the processing carried out by those operators. Consequently, it determines, jointly with its members, the purposes of such processing.

Regarding the means of processing, the Court observed that IAB Europe may adopt non-compliance and suspension decisions that may result in the exclusion of members from the from TCF where they  do not comply with the TCF rules. Doing so then prevents them from relying on the guarantee of GDPR compliance that those rules are deemed to provide for the processing of personal data carried out by means of TC Strings. The Court then added that the TCF contains technical specifications relating to the processing of TC Strings. Those specifications provide a precise description of how CMPs are required to collect users’ preferences relating to the processing of their personal data and how such preferences must be processed to generate a TC String. Precise rules are also laid down regarding the content, storage and sharing of the TC String. In addition, the Court noted that IAB Europe prescribes, as part of those rules, the standardised manner in which the various parties involved in the TCF may consult the preferences, objections and consents of users contained in the TC Strings. Thus, in addition to the purposes, IAB Europe also determines, jointly with its members, the means of the processing operations described.

Conclusion

With the IAB Europe judgment, the Court of Justice of the European Union has provided a new key to interpreting the notion of “joint controllership”, arguably broadening its scope.

In addition to reaffirming already established principles such as the principle concerning the differentiation of responsibilities of joint controllers or the principle according to which it is not necessary for all joint controllers to have access to the personal data subject to processing, the ruling has also placed particular emphasis on the elaboration and provision of a tool made of technical and legal rules to perform a processing activity by a joint controller. The fact IAB had developed the TCF in such a way that it facilitates the buying and selling of online advertising spaces by its members was considered sufficient to decide that IAB Europe had determined the purpose of the processing.

It will be necessary to await the next developments in case law to understand whether it is appropriate to speak of the prevalence of the “means” over the “purposes” of the processing to determine the presence of joint controllership (or, if it is the case, independent controllership).

[1] See the first of two questions examined by the Court in the IAB Europe judgment (points 32-51).

[2] CJEU, case C-604/22, IAB Europe c. Gegevensbeschermingsautoriteit, interveners: Jef Ausloos, Pierre Dewitte, Johnny Ryan, Fundacja Panoptykon, Stichting Bits of Freedom, Ligue des droits humains VZW, 7 March 2024 – ECLI:EU:C:2024:214.

[3] V. points 53-55 of IAB Europe judgment, as well as, by way of analogy, point 28 of judgment Wirtschaftsakademie Schleswig-Holstein (CJEU, case C-210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein c. Wirtschaftsakademie Schleswig-Holstein GmbH, interveners: Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht, 5 June 2018 – ECLI:EU:C:2018:388).

[4] CJEU, case C-25/17, Tietosuojavaltuutettu interveners: Jehovan todistajat – uskonnollinen yhdyskunta, 10 July 2018 – ECLI:EU:C:2018:551.