Today, 7 March 2024, the Court of Justice of the European Union (CJEU) delivered its judgment in the case C-604/22 (IAB Europe).
In this case, the CJEU was asked by a Belgian court whether a structured string, such as the TC String provided by IAB Europe, which records a user’s consent preferences before placing advertisements on websites or applications, either on its own or in combination with an IP address, constitutes personal data under the GDPR.
TC String captures a user’s consent or the refusal to consent to the processing of personal data for marketing and other purposes, to sharing personal data with third parties, as well as the exercise of the right to object. It further allows third parties to determine if they have the right to process the user’s personal data for these purposes.
The CJEU held that a string containing a combination of letters and characters, such as the TC String, which captures user preferences for data processing by application or website providers, brokers and advertising platforms, is considered personal data if it can, by reasonable means, be associated with an identifier such as the user’s IP address in so far as this information allows the data subject to be identified, even if the organization managing it cannot access the data or combine them with other elements independently.
In the specific situation, IAB Europe would have the possibility to request more information from its members in order to identify a person based on the TC String. However, the CJEU does not clearly rule on a scenario where an entity would only have access to a string such as the TC String (or, by analogy, to information collected through a cookie file) and without association with another identifier such as an IP address.
In this context, the CJEU referred to its reasoning in another case, Breyer, according to which for data to qualify as “personal data” within the meaning of the GDPR it is not required that all information allowing the identification of the data subject to be in the hands of a single entity (see para. 40).
It also ruled that, if the association of the TC String with an identifier makes it possible to identify a user, it is irrelevant that IAB Europe does not have access to the data processed by its members or that it does not combine this string with other identifiers (see para. 46).
Finally, the CJEU also stated that IAB Europe must be considered a joint controller under the GDPR together with its members. It explained that an organization that provides its members with a framework of rules on consent matters related to personal data acts as a “joint controller” if it influences the processing of data for its own purposes and determines, together with its members, the purposes and means of such processing, even if it does not have direct access to the data, while its responsibility does not automatically extend to third party processing.
We have previously expressed our thoughts on the various interpretations of the “personal data” at European level in an article available here.