Processor and controller: it is not always easy to determine who fulfills which role. Sometimes the question even arises, whether a role is fulfilled at all. This is also illustrated by the case surrounding IAB Europe: in February 2022, the Belgian regulator's litigation chamber ruled that in developing a method to store consent for advertising cookies, IAB Europe was not acting as a processor but as a data controller and was in violation of the AVG. Among other things, IAB Europe contested this qualification as a processor before the Brussels Court of Appeal. This led to preliminary questions to the Court of Justice of the European Union (CJEU) about, among other things, the concept of processing controller. What lessons can we learn from this?
IAB Europe is an industry association based in Belgium. IAB Europe launched the so-called Transparency and Consent Framework ("TCF") when it became mandatory to seek consent for advertising cookies. Using the TCF, a web visitor's cookie preferences were stored in a so-called "Transparency and Consent string (TC-string)," from which it could be deduced by website owners whether consent had been given to, or objected to, targeted online advertisements using advertising cookies. This allowed the online advertising practice of Real Time Bidding ("RTB") to continue and publishers are using it en masse. RTB is based on the use of tracking cookies, where you as an advertiser can bid on web visitors (profiles) of interest to you through an online marketplace to display your advertisement. For this advertising, however, the user must first give permission and this is remembered using the TC string.
Back in 2022, the Belgian regulator fined IAB Europe because the TC string is personal data and IAB Europe, as a data controller, would not have acted according to the AVG (1). IAB objected and appealed. Among other things, the Court had to consider whether a TC string is personal data and whether IAB is also a data controller within the meaning of the AVG.
In the case, the judge was unsure whether a TC string fell within the definition of personal data and, if so, whether IAB Europe was the data controller. Accordingly, the Belgian court asked the CJEU two preliminary questions: questions of law from a judge to the Supreme Court, for the purpose of interpreting a rule of law.
The Court held that a TC string was indeed personal data, because by linking other data (such as an IP address), a user could be identified. The fact that IAB Europe both could not itself make the link and did not have access to the data processed by its members was irrelevant, according to the Court, since IAB Europe could apparently oblige its members to provide, upon request, information that would allow them to identify users. In short, a contractual obligation can be the means of dealing with personal data; even if you do not have the data directly.
Since the TC string qualified as personal data, the question remained whether IAB Europe was then also the data controller. The Court also answered this in the affirmative: IAB Europe together with its members determined the purpose and means of processing. The fact that IAB Europe itself does not have direct access to the TC strings and the personal data processed by its members did not alter this, according to the Court.
So as an organization, you would do well to take another look at your collaborations. If suppliers or processors have too big a finger in the pie, and can make their own decisions regarding the purpose and means of processing, there may be joint processing responsibility. To determine whether joint processing exists in a concrete case, the European Data Protection Board (EDPB) guidelines 07/2020 (version 2.0, July 7, 2021) provide guidance. An important criterion for determining whether there is joint processing responsibility is whether the data processing would not be possible without the participation of both parties, in the sense that the processing operations are inextricably linked by each of the parties. The EDPB illustrates this using a number of examples such as, a joint research project by multiple institutions or if parties organize a joint event for their respective constituencies, think of a climate march, for example.
When there is joint processing responsibility, not only do the provisions of the AVG apply, but this also touches on the subject of liability. In such situations it is important, and in view of Art. 26 AVG also required, to make a joint arrangement. In this, at least the different (stages of) processing should be laid down, so that both parties are not in the dark regarding their own involvement, liability and responsibility.
