Authors: Frederic Debusseré and Ruben Roex, Partners at the Brussels law firm Timelex (Counsel for the complainants in this case)
On 14 May 2025 the Brussels Court of Appeal upheld the decision of the Belgian Data Protection Authority (DPA) of 2 February 2022 in which the DPA found multiple GDPR violations with respect to the Transparency & Consent Framework (TCF) of IAB Europe. An English machine translation is available below.
The judgement has been the subject of some confusion, which we wish to dispel.
The Court did not annul the DPA’s decision. All infringements presented by the complainants were upheld by the Court. The Court annulled three points of the DPA’s decision, but two of these are merely procedural defects that the Court corrected, and the third point has nothing to do with the complainants.
Main findings in the judgement
The main findings in the judgement are the following:
1) The TC String is personal data. As the CJEU confirmed in this very case, this applies whether IAB Europe has access to it or not. The Brussels Court of Appeal finds at paragraph 48 of its judgement that:
“48. The fact that IAB Europe itself would not have the reasonable means to proceed to identification because it cannot make the link between a TC String and the IP address and would not have direct access to the personal data, is in itself irrelevant. This is explicitly confirmed by the Court of Justice in paragraphs 46 and 47 of the Prejudicial Judgment as quoted above.”
On 7 March 2024, the CJEU found that the TC String remains personal data when it is associated with an IP address. Paragraph 45 of that CJEU judgement states:
“45. In so far as associating a string composed of a combination of letters and characters, such as the TC String, with additional data, inter alia with the IP address of a user’s device or with other identifiers, allows that user to be identified, it must be considered that the TC String contains information concerning an identifiable user and therefore constitutes personal data within the meaning of Article 4(1) of the GDPR, a conclusion which is supported by recital 30 of the GDPR, which expressly refers to such a case.”
2) The TCF is not merely a paper standard. It is an actual system in which personal data are actually processed. The Brussels Court of Appeal finds in paragraphs 52-53 of its judgement:
“52. Apart from the global consent cookie and the consensu.org domain, there is a processing of personal data in the TCF managed by IAB Europe:
- user preferences are collected via a CMP and the CMP also receives the user's IP address at that time;
- user preferences are structured and ordered in a TC String;
- the TC String is stored, distributed and made available to the participants in the TCF.
53. Despite what IAB Europe claims, this is not merely a theoretical observation but a concrete observation based on exhibits (see, among other things, the complainants’ exhibits C1 to C4: bailiff and/or notarial observations of processing). Nor is it merely a "standard" that would not in itself entail processing as IAB Europe claims: The TCF is a framework that makes certain processing happen in a certain way, otherwise the framework does not work at all. Of course, participants choose whether they want to participate, but as soon as they join, they are obliged to process the personal data (the user preferences and associated identifiers) within the context of that framework. After all, as already mentioned, the TCF also has a mandatory character, whereby the rules and regulations contained therein can also be enforced by IAB Europe.”
3) IAB Europe is a data controller for the processing in the TCF. The Court finds on page 43 of its judgement:
“In the Contested Decision, the Litigation Chamber therefore rightly determined that IAB Europe is a data controller for the processing of TC Strings within the TCF.”
In this context, the Court finds that IAB Europe incorrectly presents itself as just a small sector organization that offers its members a standard:
“64. IAB Europe essentially argues that it is only a small sector organisation that wishes to offer players in the digital marketing ecosystem a standard or even a code of conduct for possible processing of user preferences.
65. In its decision the Litigation Chamber correctly established that IAB Europe, with the TCF, does make personal date being processed (paragraphs 317-321 of the Contested Decision). Several of the largest Vendors and Publishers in the world are represented on the board of IAB Europe, including Microsoft, Google, etc. (…). This is therefore a central body that has a decisive influence on certain processing of personal data. (…)”
4) IAB Europe and companies that use the TCF are all joint controllers for the processing of personal data in the TCF. The Court finds at paragraph 75 that:
“75. (…) the Litigation Chamber has established in the Contested Decision the extent to which IAB Europe’s controllership extends. The “offering” or requiring by IAB Europe of a “standard” or framework (TCF) for GDPR compliance must, in the present case and in view of the aforementioned documents in the file, indeed be regarded as a processing purpose in itself for which IAB Europe is a data controller to the same extent as its members. IAB Europe is therefore in a position to safeguard the rights of data subjects and to comply with the obligations imposed by the GDPR. IAB Europe is therefore a joint controller with the TCF participants for the storage of the consent preferences of the users concerned in the TC String. (…)”
5) For the processing of the TC string in the TCF, IAB Europe cannot rely on any legal basis:
“82. (…) Since IAB Europe does not provide any information about the processing of personal data to data subjects, data subjects are left to guess which legal basis in Article 6 GDPR IAB Europe would invoke for its processing of personal data in the TCF.
However, for the processing of the TC String in the TCF, it cannot rely on any legal basis in Article 6 GDPR. Moreover, the Litigation Chamber rightly states that IAB Europe cannot suffice by merely referring to subsequent notifications that may be made to data subjects by Publishers or publishers. (…)”
6) IAB Europe violates its obligation to inform internet users about the data processing.
“88. (…) Neither on its own website nor in other sources does IAB Europe explain to data subjects (…):
1. that IAB Europe is (jointly) controller of the TCF and what its contact details are;
2. what the contact details are of its data protection officer (which IAB Europe must appoint, as the Inspection Service also established in its report, given its essential activity and role within the TCF);
3. what its processing purposes are and the legal basis for the processing (which it does not have at all in this case, see above);
4. what categories of personal data it processes (in particular the TC String);
5. who receives the personal data (these are at least all participants in the TCF who receive the TC String);
6. whether it intends to pass on the personal data to be given to recipients in third countries;
7. how long the personal data will be retained;
8. what the rights of the data subjects are;
9. that the data subjects can lodge a complaint with the Data Protection Authority;
10. that the data subjects can withdraw their given consent;
11. what the source of the personal data is.
IAB Europe therefore violates Article 5, point 1, under a, Article 12 and Article 14 GDPR, as the Dispute Resolution Chamber was right to establish in the Contested Decision.
The Contested Decision is correctly reasoned with regard to the lack of transparency on the part of IAB Europe for its processing of personal data in the TCF.”
7) IAB Europe violates its obligation of data protection by design and by default and to take appropriate technical and organisational measures to ensure security of the personal data processed in the TCF.
“94. (…) The Contested Decision is correctly motivated with regard to breaches of security, integrity and data protection obligations by design and default settings on the part of IAB Europe for its processing of personal data in the TCF.”
The Court thus upheld all points of the DPA’s Decision that were brought by the complainants in their complaint.
The Court did not annul the DPA’s decision
Some report that the Court annulled the DPA’s decision. This is not true. The Court concluded as follows (p. 69):
“The conclusion is that, although the Contested Decision contains some procedural defects as set out in the Interim Judgment, the substantive claims of IAB Europe against the Contested Decision are unfounded, except to the extent that the Contested Decision finds that IAB Europe acts as (joint) controller for the processing that takes place entirely within the framework of the OpenRTB protocol. The Market Court also confirms the sanctions imposed on IAB Europe by means of the Contested Decision that relate solely to processing within the TCF. It is not necessary to refer the case back to the Litigation Chamber”
The Court annulled only three points of the decision, and made the limited scope of those annulments clear by using the words “in zoverre”. This translates to English as “to the extent that” or “insofar as” (p. 70):
“Annuls the Contested Decision only because of the procedural defects established in the interim judgement and thus, in particular, to the extent that the DPA bluntly finds that TC Strings are personal data within the meaning of Article 4(1) GDPR, and to the extent that the DPA in the Contested Decision bluntly appoints itself as the leading supervisory authority.
(...)
Declares the substantive complaints of IAB Europe against the Contested Decision unfounded except to the extent that the Contested Decision finds that IAB Europe acts as (joint) controller for the processing operations that take place entirely within the framework of the OpenRTB protocol (a finding that the Market Court does not endorse).”
The three points in the Belgian DPA’s decision that were annulled are:
1) The Court’s interim judgement of 7 September 2022 had found that the DPA’s decision had failed to specify on what exhibits it based its conclusion that the TC string is personal data, and that the DPA had merely referred to the complainants’ allegations in this respect.
“The fact that the Litigation Chamber in this case simply incorporated the additional allegations and complaints of the complainants (it is not disputed that IAB Europe’s right to contradiction was guaranteed) into the contested decision after the hearing does not demonstrate sufficient care on its part. TC Strings thus became the focus of the decision without the parties involved or the Market Court being able to verify on the basis of which documents the Litigation Chamber came to the conclusion that the TC String in itself should be considered personal data, which IAB Europe denies. The technical reports of 13 July 2020, 6 January 2020 and 4 June 2019 date from before the additional complaints and can in no way illustrate the Litigation Chamber's duty to investigate the additional complaints.
However, under the principle of due care, the decision must always be based on proven and objective facts. By adopting the additional complaints and allegations of the complainants, the contested decision regarding the qualification of the TC String does not demonstrate a proper investigation and a proper finding of facts.”
In its final judgement the Court now corrects this procedural defect by explicitly referring to exhibits and developing its own reasoning based thereon. It arrives at the same conclusion as the DPA and the complainants, which is that the TC string is personal data:
“47. It is indisputably clear from the whole of the aforementioned articles that, thanks to the information that its members and other organisations participating in the TCF must provide to it, IAB Europe has means of which it can reasonably be expected that it and/or the participating organisations (can) use these to (in)directly identify a natural person.
48. The fact that IAB Europe itself would not have the reasonable means to proceed to identification because it itself cannot make the link between a TC String and the IP address and would not have direct access to the personal data, is in itself irrelevant. This is expressly confirmed by the Court of Justice in paragraphs 46 and 47 of the Preliminary Judgment as quoted above.
It follows from the foregoing that a TC String is personal data within the meaning of Article 4(1) GDPR.”
2) The Court’s interim judgement of 7 September 2022 found that the DPA’s decision had also failed to specify on which facts and legal grounds the DPA had come to the conclusion that there was a cross-border processing and that it was the lead supervisory authority for the processing (p. 35):
“Apart from the very summary finding that “the DPA presents itself as the leading supervisory authority”, the contested decision contains no further reasoning regarding the facts or legal grounds on the basis of which the Litigation Chamber established the existence of cross-border processing, nor does the decision enable to infer why the DPA considers itself the leading supervisory authority. It is regrettable that the Litigation Chamber does not explain the application of the rules regarding the one-stop shop arrangement, as these rules are not always easy to apply in practice.”
In its final judgement the Court now corrects this procedural defect by quoting from a reasoning in the report of DPA’s Inspection Service (which had not been copied in the DPA’s decision itself), and by ruling that this quote has to be added to the reasoning in the DPA’s decision:
“56. This summary reasoning must be supplemented with the following findings from the inspection report (the DPA’s exhibit A133) which show (page 8 and following) that the DPA can only act as a leading supervisory authority with regard to IAB Europe and limited to the TCF.
The Inspection Service motivates this on pages 10 and 11 of its report as follows
(…)
The Market Court endorses the above-mentioned findings from the inspection report.”
3) The Court did not decide on the question of whether IAB Europe is a controller for OpenRTB. The complainants’ submission before the DPA only dealt with the TCF, not OpenRTB. The complainants had thus not made any arguments as to whether IAB Europe is a data controller for OpenRTB. However, the DPA’s decision had extended the scope of the case and found that IAB Europe is a joint controller for all OpenRTB processing. The Court annulled this finding because it extended the scope of the case. The Court also found that the DPA had not presented any own exhibits to the Court to support such a finding. The Court also found that some paragraphs in the DPA’s reasoning on this topic contradicted some other paragraphs. Since this may be a point of particular interest, below is a long excerpt in which the Court explains its reasoning:
“79. (…) In paragraph 177 of their submissions the complainants state: “This case concerns the processing of personal data in the context of the TCF. Although OpenRTB is the motivating reason for IAB Europe to establish the TCF, it does not examine the specific processing of personal data that takes place in OpenRTB.”
The DPA defends a different view: In the Contested Decision it attempts to argue that the TCF does not stand on itself but serves OpenRTB (paragraph 370 of the Contested Decision), that actions / subsequent processing by CMPs, publishers and TCF vendors outside the TCF are important and lead to IAB Europe being a joint controller for this. It refers to what is described in paragraphs 367 et seq. of the Contested Decision: (…)
The following paragraphs of the Contested Decision are at odds with the Litigation Chamber’s aforementioned findings: (…)
In this case IAB Europe argues (paragraph 39 et seq. of its submissions): “By extending the scope of the decision to OpenRTB and its stakeholders, the Litigation Chamber lost the ability to clearly distinguish the roles of the parties and their corresponding responsibilities, for the different data processing operations. Very often, it is unclear what data the Litigation Chamber is referring to, whose interests it is taking into account and who it considers responsible for what.”
80. The Market Court finds that the reasoning in the Contested Decision is thus contradictory.
The Market Court further considers that in their submissions the complainants have indicated that they limit the scope of the present case to the processing within the TCF.
The Court also finds that the Inspection Service itself clarifies in its report that IAB Europe does not act as a controller for the processing that takes place entirely within the framework of the OpenRTB protocol.
In any case, it does not appear from any exhibit submitted to the Court that IAB Europe acts as a (joint) controller for the processing that takes place entirely within the framework of the OpenRTB protocol.
Based on the foregoing, IAB Europe’s sixth grievance is unfounded and IAB Europe’s seventh grievance is only founded to the extent that the Contested Decision states, but does not demonstrate, that IAB Europe acts as a (joint) controller for the processing that takes place entirely within the framework of the OpenRTB protocol.”
IAB Europe data protection failures
In addition, the Court also upheld the DPA’s decision on the following points:
-
- IAB Europe violated its obligation to conduct a data protection impact assessment.
- IAB Europe violated its obligation to designate a Data Protection Officer.
- The Court confirmed the sanctions imposed by the DPA: (1) an order to stop the infringements, and (b) a fine of 250,000 EUR.
Sources
Original Dutch version of the final judgement: https://www.gegevensbeschermingsautoriteit.be/publications/arrest-van-14-mei-2025-van-het-marktenhof-ar-292.pdf
English machine translation of the final judgement:
https://www.iccl.ie/wp-content/uploads/2025/05/Arrest-Marktenhof-14-05-2025-en.pdf
Original Dutch version of the interim judgement: https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-7-september-2022-van-het-marktenhof-ar-292.pdf
DPA’s decision (English): https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-21-2022-en.pdf