On 7 September 2022, the Belgian Court of Appeal issued a judgment (the “Judgment”) in the appeal by IAB Europe against the decision of 2 February 2022 (the “Decision”) of the Belgian Data Protection Authority (the “APD”) against IAB Europe regarding the operation of the Transparency and Consent Framework (the “TCF”). For details of the Decision, see our original article here.
The Judgment has resulted in several key questions being raised to the Court of Justice of the European Union (“CJEU”) for further determination – the outcome of these questions will be key not just to this case but also more broadly given their fundamental nature.
The Decision resulted in certain key findings summarised above that were then appealed by IAB Europe.
The appeal grounds developed by IAB Europe can be grouped around three categories: (1) grounds on procedural grounds; (2) grounds contesting that the TC String constitutes personal data for IAB Europe, and that IAB Europe acts as a joint data controller in relation to such data; and (3) since IAB Europe believes it is not the case, grounds contesting it had violated several of its obligations under the General Data Protection Regulation (“GDPR”).
Below, we will elaborate on how the Court of Appeal responded to these grounds of appeal.
1. Procedural grounds of appeal
It is important to note that an appeal against a decision of the APD through the Court of Appeal is not a classic appeal; rather the procedure is a form of judicial review in the sense that the Court will assess whether the decision taken by the APD was lawful. If this is not the case, the Court of Appeal will annul the decision of the APD. However, in principle, the Court will not make an entirely new decision, nor entirely substitute itself for the APD, particularly in relation to substantive interpretative matters.
The first eight of IAB Europe’s appeal grounds were mainly based on procedural grounds and were clearly aimed at convincing the Court to annul the Decision. These arguments were quite diverse in nature, and some quite fundamental. For example, IAB Europe argued, amongst other things, that:
Most of these grounds of appeal were dismissed by the Court of Appeal. However, it partly followed IAB Europe in its seventh and eight grounds of appeal that the APD should not have included in the Decision additional allegations and complaints from the complainants about the qualification of the TC String as being personal data that were submitted after the hearing and simply incorporated into the Decision, leading to a violation of the principle of due care. The decision on what consequences the Court of Appeal attaches to this violation and whether it results in a challenge to the validity of the Decision as a whole is stayed pending the proceedings before the CJEU (see below).
In previous cases, the APD has had a poor track record before the Court of Appeal, with roughly 80% of all admissible appeals against decisions of the APD resulting in the decision being annulled, mostly on the basis of procedural grounds (for more information, see our article about GDPR Enforcement in Belgium here). Contrary to this usual position, in this case, the Decision and the manner in which the APD conducted the proceedings against IAB Europe were mainly upheld by the Court of Appeal. It is therefore not surprising that the APD, which was defending what is undoubtedly the most significant decision it has yet taken, mentioned in its statement on the Judgment that “it is pleased with this decision.”
2. Referral of questions to the CJEU
As requested by all parties to the Decision, given the importance of the Court’s judicial review of the Decision and the wider importance beyond this case, particularly with regard to clarifying the position on key concepts of the GDPR (such as the definition of data controller) and its applicability to framework designers, the Court of Appeal decided to refer the following questions to the CJEU:
Is the TC String, whether in combination with an IP address or otherwise, personal data for IAB Europe?
Is IAB Europe a joint data controller?
3. Consequential violation of several GDPR obligations
As mentioned in our previous article, not only did the APD in its Decision decide that the TC String does constitute personal data for IAB Europe’s purposes, and that IAB Europe acts as a joint controller in relation to such personal data, it also found that IAB Europe had failed to comply with several GDPR obligations (e.g., failing to appoint a data protection officer, conduct data protection impact assessments, and maintain records of processing activities).
As these GDPR obligations arise as a result of the TC String being considered personal data (where IAB Europe did not consider this to be the case prior to the Decision), and the answers from the CJEU on the referred questions will determine whether this classification of the TC String is correct, the Court of Appeal has suspended its Judgment on these aspects in particular pending the case before the CJEU.
As it currently stands, the Judgment is stayed pending resolution of the above questions by the CJEU. Given the usual speed of this process, we would not expect any further Judgment before 2024. Although this does not act to suspend the Decision itself, it seems likely that, pending proceedings before the CJEU, the APD will not seek enforcement of the Decision.
Whilst the referred questions are vitally important, not just to this case but to the industry more broadly, the associated timeframes for the referral and the relevant response means that the industry, unfortunately, remains in a period of uncertainty as to the ongoing validity of the TCF as a means of obtaining and communicating user consent in the adtech ecosystem. Although this would seem to grant some short-term respite given that it would seem unlikely, though not guaranteed, for other regulators to enforce against the use of TCF pending the CJEU’s responses, it does not provide any longer-term certainty at this stage.
There is, however, no need to immediately panic – as stated previously, the adtech ecosystem will not stop functioning in Europe tomorrow. Our previous recommendations still apply, and at this stage, the most that users of TCF can do is wait and see.