The case deals with Real Time Bidding (RTB) and the use of cookies and a so-called TC String. The Court also addresses the issue of the allocation of data responsibility when the platform is offered and used by several parties.
With the CJEU's decision, it is to be expected that the Belgian court will now decide the national case between IAB Europe and the Belgian Data Protection Authority. In this case, questions have been raised about the extent to which IAB Europe - and its members - can use Article 6(1)(f) of the GDPR on legitimate interest as a basis for processing in marketing activities. Significant contributions to the interpretation of this provision may thus be of great importance for companies' ability to use internet-based marketing, targeting, profiling, etc.
CO:PLAY recommends that companies review their cookie solutions and, in particular, ensure that there is an overview of whether external agencies, etc. that assist in running marketing campaigns are connected to IAB Europe's platform or other similar solutions. If so, it is the company's responsibility to ensure that the solutions used today and in the long term meet the relevant requirements of the cookie rules and the General Data Protection Regulation.
About thecase
The parties to the case are the pan-European trade association for digital marketing, IAB Europe, and the Belgian Data Protection Authority.
IAB Europe provides a platform where companies can bid via advertising platforms that are tailored specifically to their target audience and product. IAB Europe is non-profit and offers the platform to all members of the trade association. The platform is a real time bidding (RTB) solution, which is an auction system for the instant and automated online sale of user profiles for the sale and purchase of advertising space on the internet. In short, the platform supports advertising agencies, etc. who want to have advertisements displayed to specific internet users, to bid a specific price for the right to display their advertisement to an internet user visiting a website that displays banner ads, etc. The auction takes place in a few nanoseconds, and the price for displaying an advertisement to a specific user is often only a few pennies.
Participants in the auction include data brokers and advertising platforms representing thousands of advertisers (actual companies that have purchased advertising services). They can bid anonymously in real-time to acquire the relevant advertising space on the website through an automated auction system that uses algorithms to display targeted advertisements specifically tailored to a user's profile. RTB, and platforms like the one IAB Europe provides, are thus a central part of modern online marketing practice through the use of cookies etc.
Before such a platform can support the targeting of advertising to the individual user, it is necessary to obtain information and consent from the individual user (a natural person). Users' preferences are stored in codes called a TC String ("Transparency and Consent String"). This TC String is shared with the companies participating in the auction to prove that the user has consented to the sharing of the personal data. However, by combining the TC String and the cookies left on the user's device, it is possible for personal data brokers and advertising platforms etc. to identify the user's IP address and thus potentially make the whole process personally identifiable. At the same time, the use of TC String is a prerequisite for the RTB process to comply with the GDPR by ensuring that the data subject's consent is obtained and respected when displaying online advertisements.
To ensure that members' use of the platform was legal, IAB Europe has developed a Transparency & Consent Framework (TCF), a framework of guidelines, instructions, technical specifications, protocols and contractual obligations that enable a website provider, data brokers or advertising platforms to legally process personal data of a user.
The questions submitted to the CJEU therefore concerned whether the combination of TC String and cookies etc. should be considered personal data under the GDPR. Next, the Court had to answer whether IAB Europe should be considered a data controller, including possibly a joint data controller together with the members using the platform.
The Court of Justice of the European Union's assessment
The CJEU found - not surprisingly - that the use and sharing of TC String constitutes processing of personal data, as the IP address could be used to identify the given user and thus compare who had what preferences, accessed specific advertisements, etc.
The CJEU then held that IAB Europe was to be considered a "joint controller" under Article 4(7) of the GDPR, cf. Article 26. The Court justifies this on the grounds that IAB Europe, together with its members using the plan form, determines the purposes of the data collected through the issuance of binding rules (TCF) that can be enforced in case of infringement. However, IAB Europe cannot be assumed to be the data controller for the further processing by members of the personal data they access through the use of the platform. For example, IAB Europe is not responsible for any subsequent disclosure of the data to third parties or the choice of which advertisements are displayed to users.
Theimportance of the case
The case against IAB Europe was brought by the Belgian Data Protection Authority on behalf of 21 national data protection authorities as a joint enforcement action under Articles 60-63 of the GDPR (the consistency mechanism). The case thus reflects the high priority that data protection supervisory authorities across the EU attach to the enforcement of data protection rules in relation to online marketing. As part of the decision in the case, IAB Europe was ordered to bring the processing of personal data carried out under the TCF into compliance with the provisions of the GDPR, and the Belgian DPA has imposed several remedial measures on IAB Europe as well as an administrative fine of EUR 250,000.
The case is of central importance, as the determination of data responsibility across RTB solutions sets the framework for how the provisions of the General Data Protection Regulation can be enforced in the future against the multitude of actors - including Danish companies and their marketing agencies, etc.
At first glance, the case does not appear to raise fundamental doubts about the legality of using RTB technology, cookies, etc. to target marketing. Danish companies - including marketing agencies etc. that assist companies with relevant internet marketing - should therefore not at this time refrain from using solutions such as the one offered by IAB Europe. However, they should generally focus on ensuring that they consent to placing cookies on their websites, comply with applicable law, including in particular the General Data Protection Regulation. Furthermore, they should follow the further development of the case with the Belgian Data Protection Authority.
Authors: Heidi Højmark Helveg and Christian Wiese Svanberg