The Brussels Court of Appeal dismisses various IAB Europe procedural grounds of appeal and agrees to refer our preliminary questions to the European Court of Justice.  

7 September 2022

This afternoon, the Brussels Court issued a judgement in IAB Europe’s appeal opposing the landmark decision of 28 EU data protection authorities against its “Transparency & Consent Framework” (TCF) consent system, which plagues Europeans on 80%[1] of the European Internet.

On 2 February 2022 28 EU data protection authorities, led by the Belgian Data Protection Authority as the leading supervisory authority in the GDPR’s one-stop-mechanism, ruled that IAB Europe’s TCF infringes the GDPR in multiple ways. Google, Microsoft, Amazon, Oracle, TikTok, etc. rely on the TCF as a form of GDPR compliance theatre.

In the judgement, the Court dismissed various procedural arguments of IAB Europe. In addition, acknowledging the importance of the case, the Court agreed to refer our proposed preliminary legal questions to Europe’s highest court, the Court of Justice of the European Union. These questions are as follows (note: unofficial translation from Dutch original): 

1. a) Should Article 4.1 of Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, read in conjunction with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a string of characters which captures in a structured and machine-readable way an internet user’s preferences in relation to the processing of his personal data, constitutes personal data within the meaning of the aforementioned provision in relation to (1) a sector organisation that makes a standard available to its members in which it prescribes to them in which way that string has to be generated, stored and/or distributed practically and technically, and (2) the parties that have implemented that standard on their websites or in their apps and in this way have access to that string?

b) Does it make a difference if the implementation of the standard means that this string is available together with an IP address?

c) Does the answer to questions a) + b) lead to a different conclusion if this standard-setting sector organisation itself does not have legal access to the personal data processed by its members within this standard?

2. a) Should Articles 4.7 and 24.1 of Regulation 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC, read in conjunction with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a standard-setting sector organisation has to be qualified as a data controller if it offers its members a standard for managing consent that, in addition to providing a binding technical framework, contains rules specifying how this consent data, which constitutes personal data, has to be stored and disseminated?

b) Does the answer to question a) lead to a different conclusion if this sector organisation itself has no legal access to the personal data processed by its members within this standard?

c) If the standard-setting sector organisation is to be qualified as controller or joint controller for the processing of the preferences of internet users, does this (joint) controllership in European data protection law. of the standard-setting sector organisation automatically also extend to the subsequent processing by third parties for which the preferences of internet users were obtained, such as targeted online advertising by publishers and vendors?

Background 

This case is the result of proceedings initiated by complainants at the Belgian Data Protection Authority, coordinated by the Irish Council for Civil Liberties. The group of complainants includes: Dr Johnny Ryan of the Irish Council for Civil Liberties, Katarzyna Szymielewicz of the Panoptykon Foundation (Poland), Stichting Bits of Freedom (the Netherlands), Ligue des Droits Humains (Belgium), Dr Jef Ausloos, and Dr Pierre Dewitte. The Belgian procedure follows complaints about the insecurity of the online advertising “Real-Time Bidding” (RTB) system that Dr Ryan initiated in 2018.

"That the Brussels Court of Appeal has refered our questions to the European Court of Justice shows the importance of this case. Today’s judgement is the next step in our effort to put an end to the consent pop-ups that have harassed Internet users in Europe for years", said Dr Johnny Ryan of the Irish Council for Civil Liberties. "We now look forward to the answers from the European Court of Justice and subsequently a judgement on the merits of the Brussels Court of Appeal”. 

We thank our lawyers Frederic Debusseré and Ruben Roex, of Timelex.

See decision of the Brussels Markets Court of 7 September:

• (in Dutch) https://www.iccl.ie/wp-content/uploads/2022/09/Dutch-kopie_arrest_2022ar292_id60102-10606016_Redacted.pdf
• (in English) https://www.iccl.ie/wp-content/uploads/2022/09/English-Judgement-Markets-Court-07-09-2022_Redacted.pdf

See 2 February 2022 decision:
https://www.iccl.ie/news/gdpr-enforcer-rules-that-iab-europes-consent-popups-are-unlawful/

View the ICCL action file on Real-Time Bidding:

https://www.iccl.ie/rtb/

Notes

[1] According to IAB Europe