GDPR

Adatvédelem mindenkinek / Data protection for everyone

ECJ´s judgment in the IAB Europe case: cases of joint controllership seem to develop further

2024. március 11. 09:30 - poklaszlo

In its recent judgment, the European Court of Justice found that IAB Europe, as the sectoral organisation of the digital advertising market, qualifies as a joint controller by defining and applying the framework established to manage data processing consents for the display of online advertising.

It has been established that, as a sectoral organisation, IAB Europe exercises influence over the processing of the personal data concerned and therefore determines, together with its members, the purposes and means of such processing. In the following, I highlight some of the findings of the CJEU judgment on joint controllership, which may have implications beyond the digital advertising market. (In addition to the question on joint processing, the other question concerned the concept of personal data.)

1. Short background of the case

The case was based on the data protection authority's proceedings against IAB Europe in Belgium and its findings (IAB Europe is based in Belgium, so the Belgian Data Protection Authority acted as the lead authority under the GDPR for data protection complaints concerning IAB Europe). IAB Europe turned to court against the decision of the Belgian DPA, and the CJEU has now ruled on the Belgian court's questions referred for a preliminary ruling.

The basis of the data protection procedure against IAB Europe was that "IAB Europe has drawn up the Transparency & Consent Framework (the "TCF"), which is a framework of rules consisting of guidelines, instructions, technical specifications, protocols and contractual obligations that enable both the provider of a website or application and data brokers or indeed advertising platforms to process lawfully the personal data of a user of a website or application." (See Point 21 of the judgment)

2. Main findings concerning joint controllership

The Court refers to several previous judgments concerning joint controllership in the case, namely:

  • judgment of 5 June 2018, Wirtschaftsakademie Schleswig-Holstein (C‑210/16),
  • judgment of of 10 July 2018, Jehovan todistajat (C‑25/17),
  • judgment of 29 July 2019, Fashion ID (C-40/17),
  • judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras (C-683/21).

With regard to joint controllership, referring to the above case-law, the following main findings can be highlighted from the judgment:

The Court has also found that a natural or legal person who exerts influence over the processing of personal data, for his, her or its own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller within the meaning of Article 4(7) of the GDPR (see, by analogy, judgment of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 68). Thus, under Article 26(1) of the GDPR, ‘joint controllers’ exist where two or more controllers jointly determine the purposes and means of processing (judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraph 40). [Point 57 of the judgment]
In that regard, although each joint controller must independently meet the definition of ‘controller’ which is set out in Article 4(7) of the GDPR, the existence of joint controllership does not necessarily imply equal responsibility of the various operators engaged in the processing of personal data. On the contrary, those operators may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed in the light of all the relevant circumstances of the particular case. In addition, the joint controllership of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned (see, by analogy, judgment of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraphs 66 and 69 and the case-law cited). [Point 58 of the judgment]
Participation in the determination of the purposes and means of processing can take different forms, since such participation can result from a common decision taken by two or more entities or from converging decisions of those entities. Where the latter is the case, those decisions must complement each other in such a manner that they each have a tangible impact on the determination of the purposes and means of the processing. By contrast, it cannot be required that there be a formal arrangement between those controllers as regards the purposes and means of processing (judgment of 5 December 2023, Nacionalinis visuomenės sveikatos centras, C‑683/21, EU:C:2023:949, paragraphs 43 and 44). [Point 59 of the judgment]

On the basis of previous case-law, the Court made the following additional findings with regard to joint controllership on the facts of the specific case:

In those circumstances, the TCF aims, in essence, to promote and enable the sale and purchase of advertising space on the internet by such operators. [Point 63 of the judgment]
Accordingly, the view may be taken, subject to the verifications which are for the referring court to carry out, that IAB Europe exerts influence over the personal data processing operations at issue in the main proceedings, for its own purposes, and determines, as a result, jointly with its members, the purposes of such operations. [Point 64 of the judgment]
[...] the TCF constitutes a framework of rules which the members of IAB Europe are supposed to accept in order to join that association. [...] if one of its members does not comply with the rules of the TCF, IAB Europe may adopt a non-compliance and suspension decision in respect of that member, which may result in the exclusion of that member from the TCF and, consequently, prevent it from relying on the guarantee of GDPR compliance that that system is supposed to provide with regard to the processing of personal data which that member carries out using TC Strings. [Point 65 of the judgment]
[...] the TCF established by IAB Europe contains technical specifications relating to the processing of the TC String. In particular, it appears that those specifications describe precisely how CMPs are required to collect users’ preferences relating to the processing of personal data concerning those users and how such preferences must be processed in order to generate a TC String. Moreover, precise rules are also laid down as regards the content of the TC String as well as the storage and sharing thereof. [Point 66 of the judgment]
[...] a sectoral organisation such as IAB Europe must be regarded as exerting influence over the personal data processing operations at issue in the main proceedings, for its own purposes, and determines, as a result, jointly with its members, the means behind such operations. It follows that such an organisation must be regarded as a ‘joint controller’, for the purposes of Article 4(7) and Article 26(1) of the GDPR, in accordance with the case-law referred to in paragraph 57 above. [Point 68 of the judgment]
[...] it can be ruled out that any joint controllership of that sectoral organisation extends automatically to the subsequent processing of personal data carried out by third parties, such as website or application providers, with regard to users’ preferences for the purposes of targeted online advertising. [Point 70 of the judgment + see also Points 73-75]

3. What follows from the judgment?

It will be relevant to assess - reading the evolving case law concerning joint controllership - what further effect the judgment may have in addition to its direct effects on the specific case.

In the judgment, it was confirmed that

  • the existence of joint controllership is a matter of fact, it cannot be limited to analysing formal conditions (e.g. the existence of a joint controller agreement),
  • the existence of joint controllership does not necessarily imply equal responsibility, the level of responsibility of each of them must be assessed in the light of all the relevant circumstances of the particular case,
  • the joint controllership does not require each (joint) controllers to have access to the personal data concerned,
  • participation in joint controllership can result from a common decision taken by two or more entities or from converging decisions of those entities. (See also EDPB´s Guidelines no. 07/2020 point 3 for the above aspects.)

The judgment may provide further guidelines in assessing situation where the the existence of joint controllership may be derived from setting and enforcing a framework for data processing. According to EDPB´s Guidelines no. 07/2020:

This scenario can notably arise in case of platforms, standardised tools, or other infrastructure allowing the parties to process the same personal data and which have been set up in a certain way by one of the parties to be used by others that can also decide how to set it up. The use of an already existing technical system does not exclude joint controllership when users of the system can decide on the processing of personal data to be performed in this context. (see Guidelines, paragraph 65, p. 23)

Building also on the above logic, the establishment and enforcement of the framework of rules regarding the data processing can be the basis for establishing the joint controllership in the present judgment, however, the reverse logic applies compared to the Fashion ID case and the Wirtschaftsakademie judgment, insofar as in the Fashion ID case and in the Wirtschaftsakademie judgment, the Court found that the capacity of joint controller was assessed from the point of view of users of the common infrastructure, stating that companies creating fan pages on Facebook or hompage operators embedding the "Like" button on their homepages are joint controllers with Facebook (Meta). In the present case, the joint controller status is established for the creator and enforcer of the common regulatory framework.

Why is this important?

IAB Europe, which is a sectoral professional organisation and as such offers an essentially binding framework of rules for data protection compliance within a given sector, is a joint controller. Based on this, similar situations may rightly arise in other sectors, in connection with other cooperation frameworks, that, depending on the actual existence and method of influence on data processing, may result in a situation, where joint controllership is present on a much wider scale than may be apparent from current practice. Of course, a thorough factual analysis of data processing is necessary in this context, as well as a careful examination of whether the joint or converging decisions of the parties regarding the purpose and means of data processing are present. However, the recent judgment of the Court of Justice may serve as a further basis for these debates.

Szólj hozzá!
Címkék: Belgium EN GDPR joint controllers digital economy ECJ IAB Europe

Ajánlott bejegyzések:

A bejegyzés trackback címe:

https://gdpr.blog.hu/api/trackback/id/tr9918350975

Kommentek:

A hozzászólások a vonatkozó jogszabályok  értelmében felhasználói tartalomnak minősülnek, értük a szolgáltatás technikai  üzemeltetője semmilyen felelősséget nem vállal, azokat nem ellenőrzi. Kifogás esetén forduljon a blog szerkesztőjéhez. Részletek a  Felhasználási feltételekben és az adatvédelmi tájékoztatóban.

Nincsenek hozzászólások.
süti beállítások módosítása