On 7 March 2024, the Fourth Chamber of the Court of Justice of the European Union (“CJEU”) delivered its judgment in Case C-604/22 IAB Europe v Gegevensbeschermingsautoriteit (hereinafter “IAB Europe”), in which it addressed the interpretation of the terms “personal data” and “joint controllers” within the meaning of the GDPR.

The CJEU has interpreted both concepts expansively, with the result that data controllers and processors should review their internal procedures for processing personal data. In this article, we present the technologically interesting details of the IAB Europe case and outline the main practical implications of the judgment for data controllers and processors.

Circumstances of the case

The non-profit association IAB Europe issues a framework set of rules binding for its members, the stated aim of which is to ensure the lawfulness of the processing of personal data of users of websites or applications operated by its members. The rules in question also contain specific technical solutions, specifications and protocols for implementation in the sale and purchase of advertising space on the Internet.

One of the technical solutions provided by IAB Europe is the Transparency and Consent String (“TC String”) – a string consisting of a combination of letters and characters representing the encoded preferences of website or application users regarding the processing of their personal data. Each TC String with encoded preferences is then shared with data brokers and advertising platforms participating in the OpenRTB protocol, a system through which businesses do trade with advertising space on the Internet in real time. Based on the information contained in the TC String and the trade carried out via the OpenRTB protocol, the user whose data are encoded in the specific TC String in question will or will not be shown a specific advertisement.

It was in connection with the operation of TC String that IAB Europe came under the scrutiny of the Belgian Data Protection Authority, which imposed a number of corrective measures on IAB Europe. IAB appealed against the decision of the Authority, and the court proceedings raised the question of whether TC Strings could be considered personal data and IAB Europe the data controller.

CJEU assessment – personal data

• IAB Europe argued in the preliminary ruling procedure that TC String cannot be personal data because it is only a technical solution. It does not itself contain data that can directly identify the data subject.
• The CJEU ruled that the TC String is personal data on the grounds that its association with another data or identifier (e.g. a user’s IP address) will make it possible to identify the data subject.
• The fact that IAB Europe itself did not possess the other data or identifiers in question was considered irrelevant by the CJEU.

CJEU assessment – personal data management

• IAB Europe considered that it was not a data controller as it only provided its members with a technical solution and rules for its implementation.
• The CJEU ruled that IAB Europe is a joint controller of personal data by virtue of the fact that, for its own purposes, it exercised influence over personal data processing operations and, together with its members, determined the means underlying personal data operations.

Practical implications

The most acute practical impact can be expected on IAB Europe member companies. However, the judgment has significant implications beyond the work of IAB Europe and beyond the sphere of online marketing.

Given that the CJEU also defines personal data as data that does not allow identification of the data subject on its own, but could allow identification in combination with other data, it is important that each controller and processor internally assess (i) whether it processes such data and (ii) whether it processes them lawfully.

Following an internal investigation, it may be necessary to:

1. Reasonably update records of processing activities, in particular

• categories of personal data processed;
• categories of recipients of personal data;
• personal data security.

2. Educate those responsible for handling data subject rights on which data may be subject to the exercise of data subject rights under the GDPR.
3. Invite business partners who have corresponding data enabling the identification of the data subject to draw up joint management arrangements.

The expert team of GT Legal will be happy to help you update your GDPR documentation.