CJEU Issues Landmark Adtech Decision on Personal Data and Joint Control with Broad Implications: What You Need to Know and Do

The Court of Justice of the European Union (CJEU) has made a landmark decision (7 March 2024, C-604/22) on the intricacies of adtech, personal data, and joint control against the background of the General Data Protection Regulation (GDPR). In clarifying several points that make it relevant beyond adtech, the ruling:

• Supports the existing view that data can only be considered anonymized if the company in question does not have any data that can, by itself, be tied to an individual and does not reasonably have access to the identifying information held by a third party. (This aligns with prior decisions, in particular with respect to dynamic IP-addresses.) 
• Confirms the interpretation of joint controllers, which had been interpreted very broadly in the Fashion ID and Fan-pages decisions. As a result, neither a formal agreement between parties nor access to data is necessary for authorities to classify a company as a joint controller. 
• Confirms that joint control only refers to the area in which joint decisions are actually made. This is important as companies can mitigate risk of joint and several liability if they clearly define areas of sole responsibility. 

What the Ruling Means for Companies That Use Data

Are you processing data that you believe is anonymized, but a third party may have additional identifying information? 

According to the CJEU, even if you have data that is not identifiable to an individual, the data may be "personal" if you have reasonable means to access data held by a third party that would make your data identifiable. This is true even if you do not actually obtain access to that other data.  

Do you direct other companies to undertake advertising purposes on your behalf (even if you don’t share any data with them)? 

If so, you may be considered a joint controller with those companies and thus need to revisit existing contracts. If they include a data processing agreement, or no data protection contract exists, you may need to conclude a joint controller agreement (JCA). 

If you do need to conclude a JCA, make sure the limits of joint control are clearly defined as this may limit your responsibility; the CJEU has established that joint control does not exclude the existence of individual areas of responsibility of the parties.

The Facts of the Case

The case involves IAB Europe, a non-profit association representing the digital advertising sector in Europe. IAB Europe offers a Transparency & Consent Framework (TCF) to harmonize Real-Time Bidding (RTB) with GDPR compliance. RTB operates as an automated auction process, where advertising companies bid in real-time to display targeted ads to users based on a variety of signals, including, in many circumstances, personal data. The process occurs within milliseconds as a webpage loads, determining which ads the user will see.

The TCF contains technical specifications relating to processing data related to the user's preferences before any targeted ad is displayed. Those specifications describe how the user's consent is obtained by way of a Consent Management Platform (CMP). Upon a user's first visit to a site or app, a CMP pop-up solicits consent for data processing for advertising among other purposes. It gives the user the opportunity to object to other processing activities or types of personal data. 

The user's choices are saved as a string of code called the "TC String," which, alongside a cookie, informs participating companies about the user's consent or objections. With the additional information contained in a cookie placed by the CMP on the user's device, it can be linked to the user’s IP address. 

To enforce the uniform use of the system, IAB Europe imposes rules on its members regarding the technical implementation, storage, and dissemination of the information obtained this way. It monitors compliance with these rules and can exclude members from using the network in the event of violations.

Legal Questions to the CJEU

Following a number of complaints, the Belgian Data Protection Authority determined that IAB Europe acts as a data controller and initiated enforcement actions including a EUR 250.000 fine. IAB Europe argued that it does not combine the TC String with IP addresses, which would be necessary to identify the users and that it lacks access to data processed by its members.

Following the inquiry by a Belgian court, the CJEU had to decide on – in essence – the following questions: 

• To what extent is the TC String considered personal data to an organization like IAB Europe? For example, if the organization had access to a TC String but did not have direct access to IP addresses or any identifying information, is that organization still processing “personal data”?
• Is an organization a joint controller if it offers a standard for managing consent that sets out in detail how that consent-related data – which constitutes personal data – must be stored and disseminated? Is it relevant if the organization does not have direct access to the personal data that is subject to the standard?
• Does the responsibility extend to subsequent processing by advertising partners for targeted advertising purposes?

What the CJEU Decided

1. A TC String is considered personal data.

The CJEU ruled that a string composed of letters and characters, such as a TC String, constitutes personal data. 

Indeed, the CJEU argues that the GDPR defines "personal data" broadly as any information that relates to an identified or identifiable individual, whether directly or indirectly. This definition is purposefully broad, encompassing objective data, subjective opinions, and assessments, so long as they are connected to a person. 

Thus, even if the TC String doesn't directly identify a user, it would represent individual consent preferences. When combined with an identifier, such as an IP address, it could facilitate the creation of a detailed user profile. The CJEU states that it did not matter that the TC String could not, in the hands of IAB Europe, be associated with an identifier since IAB Europe had reasonable means to access corresponding identifying information (e.g., IP address). Thus, the court concluded TC String was personal data to IAB Europe. 

2. IAB Europe and the TCF members are joint controllers.

The CJEU ruled that anyone who has a say in processing may be considered a joint controller, even if they only provide partial or abstract instructions for processing operations and even if they do not have direct access to the data. The members of IAB Europe collected the TC String in accordance with the rules of the TCF and are thus considered controllers. Even though IAB Europe does not have direct access to identifying data, they jointly determine, to a certain extent, the purposes and means of the processing of such data and thus are deemed a joint controller.

The CJEU argues that the objective of the GDPR is to establish a high level of protection of fundamental rights. This means the concept of controller is also broadly defined to protect data subjects. This concept may concern several actors taking part in the processing, while joint controllership does not necessarily imply equal responsibility of the operators engaged in the processing. It is sufficient that the different operations are involved at different stages and to different degrees of that processing. The level of responsibility of each of them must be assessed in the light of all the relevant circumstances of the particular case. Such participation can result from a common decision by two or more entities or from converging decisions of those entities, as long as the decisions complement each other. However, a formal arrangement between both controllers is not necessary (Orrick note: but recommended for documentation purposes). 

Since the rules of the TCF are mandatory regarding details that concern processing, such as how CMPs are required to collect user preferences and contents of the TC String, CJEU considers IAB Europe to exert influence on essential purposes and means of processing and thereby is a (joint) controller. 

3. Joint control is limited to jointly determined processing.

The CJEU outlines that a party may be considered a joint controller if it co-determines the purposes and methods of data processing. The CJEU also differentiates between two stages of data handling within the context of IAB Europe and its members. First, the collection of consent preferences using the TC String under the TCF rules, and second, the further processing of data based on those preferences, such as sharing data with third parties or displaying targeted advertising.

IAB Europe's rules solely apply to the first stage, as it, subject to the verifications which are for the referring court to carry out, does not appear to involve IAB Europe in the subsequent data processing activities. Therefore, the CJEU only considers IAB Europe to be a joint controller for the first stage involving the TC String. To consider IAB Europe a controller for the later stages of data processing, it would need to be proven that IAB Europe influenced the determination of the processing's purposes and means. It is up to the referring court to examine all relevant factors to decide whether IAB Europe holds such influence in the specific case being considered.

Looking to the Future

The decision will return the case to a Belgian court, meaning the outcome has not yet been determined. Regarding adtech, it is likely in the future that TC Strings will be regarded as personal data. Accordingly, all requirements of the GDPR apply to these, e.g., about legal bases, information obligations, and data subject rights.

Furthermore, the participants in the TCF are to be understood as joint controllers with each other. This also applies to website operators that utilize vendors from the TCF’s Global Vendor List. Companies that use such partners should therefore make sure to conclude corresponding data protection agreements. 

If you have questions, reach out to our authors (Christian Schröder, Sundeep Kapur, Robert Weinhold, and Tobias Stephan) or other members of the Orrick team.