You are currently viewing The Brussels Court of Appeal Upholds Belgian DPA’s Decision on the Transparency & Consent Framework (TCF)
Representation image: This image is an artistic interpretation related to the article theme.

The Brussels Court of Appeal Upholds Belgian DPA’s Decision on the Transparency & Consent Framework (TCF)

The Brussels Court of Appeal Upholds Belgian DPA's Decision on the Transparency & Consent Framework (TCF)

The TCF is a standardized framework for online consent management, developed by IAB Europe, a non-profit association representing the digital advertising and marketing sector at the European level. The framework aims to standardize the way online publishers, advertisers, and other participants in the ad-tech ecosystem collect user consent for data processing in accordance with the GDPR. The TCF relies on the Transparency and Consent String (“TC String”) to record user preferences and consent through consent management platforms (“CMPs”) when users visit a website or app. The TC String is a combination of letters and characters that encodes and records user preferences, and it is then shared with ad platforms and other participants in the ad-tech ecosystem. When combined with a specific cookie, the TC String can be linked to the user’s IP address, making it potentially identifiable. In February 2022, the Belgian Data Protection Authority (“Belgian DPA”) found that the TC String constitutes personal data under Art. 4(1) GDPR, IAB Europe qualifies as a controller under Art. 4(7) GDPR, and the TCF, as implemented, did not meet certain GDPR requirements. IAB Europe appealed the decision, and the Brussels Court of Appeal referred several key legal questions to the CJEU. In March 2024, the CJEU confirmed that the TC String may constitute personal data under Art. 4(1) GDPR if it can be combined with other data to identify a user, IAB Europe can be considered a controller under Art. 4(7) GDPR, and IAB Europe is not automatically a controller for further processing activities by third parties if it does not determine the purposes or means of those processing activities. The Brussels Court of Appeal partially annulled the Belgian DPA’s original €250,000 fine against IAB Europe, but largely upheld the Belgian DPA’s main findings. The key rulings include:

• The TC String qualifies as personal data when combined with additional identifying information such as the user’s IP address. • IAB Europe acts as a (joint) controller within the meaning of Art. 26 GDPR for processing operations within the TCF. • IAB Europe is not a controller for processing activities conducted solely within the OpenRTB protocol framework, over which it has no control. • IAB Europe failed to establish a valid legal basis under Art. 6(1) GDPR for processing personal data via the TC String. • The framework failed to provide users with clear and accessible information, in violation of Art. 12–14 GDPR. • A Data Protection Impact Assessment (“DPIA”) was not conducted. The Court also found additional violations of Art. 5(1)(f), 25, 32, and 37 GDPR, concerning data security, privacy by design, and data protection officer obligations. The judgement provides important guidance on the compliance of IAB Europe when implementing the TCF. However, the consequence of the judgement remains to be seen, particularly for future implementations of the TCF. While the currently deployed version – TCF 2.2 – was not subject to review in this case, some of the points criticized have already been rectified in this version. The remaining uncertainty concerns the fact that IAB Europe may qualify as a (joint) controller in relation to the TC String in its current version, which largely depends on whether IAB Europe has real decision-making power over the purposes and means of processing. This largely depends on whether IAB Europe has real decision-making power over the purposes and means of processing. The question of whether an individual company is in breach of GDPR when using the TCF remains a matter for national data protection authorities to decide on a case-by-case basis. A quote from the Belgian DPA is worth noting:

“”The TCF, as implemented, does not meet the necessary requirements to ensure the highest standards of data protection.””

IAB Europe has issued a statement regarding the judgement, saying:

“”IAB Europe welcomes the Court of Appeal’s decision and recognizes that the TCF has room for improvement. We are committed to ongoing work to strengthen the TCF and ensure it meets the highest standards of data protection.””

Table 1: Key Findings of the Brussels Court of Appeal

Key Finding Description
TC String Qualifies as Personal Data The TC String is considered personal data if combined with additional identifying information, such as the user’s IP address.
IAB Europe Acts as a (Joint) Controller IAB Europe is considered a (joint) controller for processing operations within the TCF, but not for activities within the OpenRTB protocol framework.
Failure to Establish a Valid Legal Basis IAB Europe did not establish a valid legal basis under Art. 6(1) GDPR for processing personal data via the TC String.
Failure to Provide Clear and Accessible Information The framework failed to provide users with clear and accessible information, in violation of Art. 12–14 GDPR.
No Data Protection Impact Assessment A Data Protection Impact Assessment (DPIA) was not conducted.

The judgement highlights the importance of transparency and consent management in online data processing. While the TCF has the potential to standardize the way online publishers, advertisers, and other participants in the ad-tech ecosystem collect user consent for data processing, it remains essential to ensure that this framework is implemented in compliance with the GDPR. As the ad-tech ecosystem continues to evolve, the importance of GDPR compliance will become increasingly crucial. The Brussels Court of Appeal’s judgement provides a crucial starting point for understanding the compliance of the TCF with the GDPR. Moreover, the judgement emphasizes the need for ongoing work to strengthen the TCF and ensure it meets the highest standards of data protection. IAB Europe’s commitment to ongoing work is a positive step towards ensuring that the TCF is aligned with GDPR requirements. However, the remaining uncertainty concerning IAB Europe’s potential (joint) controller status in relation to the TC String raises questions about the company’s decision-making power and its responsibility for ensuring that processing activities meet GDPR requirements. Ultimately, the question of whether an individual company is in breach of GDPR when using the TCF remains a matter for national data protection authorities to decide on a case-by-case basis. The judgement serves as a reminder that GDPR compliance requires ongoing attention and effort. As the ad-tech ecosystem continues to evolve, it is essential to ensure that frameworks like the TCF are implemented in compliance with the GDPR, and that ongoing work is done to strengthen these frameworks and ensure they meet the highest standards of data protection.

Key Takeaways

• The Brussels Court of Appeal largely upheld the Belgian DPA’s main findings on the TCF, confirming that the TC String qualifies as personal data and IAB Europe acts as a (joint) controller within the meaning of Art. 26 GDPR. • IAB Europe failed to establish a valid legal basis under Art. 6(1) GDPR for processing personal data via the TC String. • The framework failed to provide users with clear and accessible information, in violation of Art. 12–14 GDPR. • A Data Protection Impact Assessment (DPIA) was not conducted. • Additional violations of Art. 5(1)(f), 25, 32, and 37 GDPR were found, concerning data security, privacy by design, and data protection officer obligations. • The judgement highlights the importance of transparency and consent management in online data processing and emphasizes the need for ongoing work to strengthen the TCF and ensure it meets the highest standards of data protection. • The remaining uncertainty concerning IAB Europe’s potential (joint) controller status raises questions about the company’s decision-making power and its responsibility for ensuring that processing activities meet GDPR requirements. • The question of whether an individual company is in breach of GDPR when using the TCF remains a matter for national data protection authorities to decide on a case-by-case basis.

Further Reading

Belgian DPA Statement

“The TCF, as implemented, does not meet the necessary requirements to ensure the highest standards of data protection.”

IAB Europe Statement

“IAB Europe welcomes the Court of Appeal’s decision and recognizes that the TCF has room for improvement. We are committed to ongoing work to strengthen the TCF and ensure it meets the highest standards of data protection.”

Additional Resources

For further information on the TCF and GDPR compliance, please refer to the following resources:

* IAB Europe TCF Documentation

* Belgian DPA GDPR Guidance

* European Data Protection Board (EDPB) GDPR Resources

This article is an excerpt from a more comprehensive report on the Brussels Court of Appeal’s judgement on the TCF. The report provides a detailed analysis of the judgement, including the key findings, implications, and recommendations for implementing the TCF in compliance with the GDPR.

The Transparency & Consent Framework (TCF)

The Transparency and Consent Framework (TCF) is a standardized framework for online consent management developed by IAB Europe, a non-profit association representing the digital advertising and marketing sector at the European level. The TCF aims to standardize the way online publishers, advertisers, and other participants in the ad-tech ecosystem collect user consent for data processing in accordance with the GDPR. The TCF is designed to provide a standardized and transparent way for users to manage their personal data in online advertising. The framework relies on the Transparency and Consent String (“TC String”) to record user preferences and consent through consent management platforms (“CMPs”) when users visit a website or app. The TCF is an essential tool for ensuring GDPR compliance in the ad-tech ecosystem. The framework provides a standardized way for online publishers, advertisers, and other participants to collect user consent for data processing, which is essential for ensuring that users’ personal data is handled in a transparent and accountable manner. However, the TCF has faced criticism for its implementation, with some arguing that it does not meet the necessary requirements to ensure the highest standards of data protection. The Brussels Court of Appeal’s judgement on the TCF has provided crucial guidance on the compliance of the TCF with the GDPR, highlighting the importance of transparency and consent management in online data processing. The TCF has the potential to standardize the way online publishers, advertisers, and other participants in the ad-tech ecosystem collect user consent for data processing. However, its implementation must be carefully considered to ensure that it meets the highest standards of data protection. The TCF should be implemented in compliance with the GDPR, and ongoing work should be done to strengthen the framework and ensure it meets the highest standards of data protection. In conclusion, the TCF is an essential tool for ensuring GDPR compliance in the ad-tech ecosystem. However, its implementation must be carefully considered to ensure that it meets the highest standards of data protection. The TCF should be implemented in compliance with the GDPR, and ongoing work should be done to strengthen the framework and ensure it meets the highest standards of data protection.

Conclusion

Literature

General Data Protection Regulation (GDPR)

Article 4(1)

Article 4(7)

Article 6(1)

Article 12

Article 14

Article 26

Article 32

Article 35

Article 37

Article 5(1)(f)

Article 25

Article 25

Article 32

Article 37

By Luca Sawatzki, Co-Author: Luca Sawatzki

Distribution

* Version: 1.0.0

* Revision: 2025-05-14

Please provide any additional information if you would like me to proceed.

Leave a Reply