Attorney: Belgian Online Ad-Consent Ruling Applies to Advertisers Everywhere

Separately, the Irish Council for Civil Liberties (ICCL) won permission from the country's High Court to file a class action suit against Microsoft's system for personalizing ads.

The May 14 Market Court (Court of Appeal) decision arose from a case between the Belgian Data Protection Authority (DPA) and IAB, an association representing European digital marketers and advertisers.

In February 2022, the DPA published a decision about the TCF, a mechanism for managing users' preferences for online personalized advertising that plays a key role in Real Time Bidding (RTB), a system that enables personalized ads. The DPA fined IAB for General Data Protection Regulation (GDPR) and ePrivacy Directive breaches, and gave it two months to submit an action plan for complying, DPA noted.

IAB appealed, but before ruling, the Market Court decided to refer two questions on EU law to the European Court of Justice (ECJ).

The EU high court sided with the DPA, which had argued that structured character strings capturing internet users' preferences, such as IAB's TC string, could be considered personal data, and that an organization such as IAB could qualify as a joint controller of users' preferences within the TCF, the DPA said.

The Market Court backed the Belgian DPA's reasoning. However, the DPA noted, it rejected the conclusion that IAB acts as a joint data controller for processing operations that take place entirely within the OpenRTB protocol.

The decision held three takeaways, IAB blogged. First, the "TCF remains a best-practice standard that can help publishers and vendors comply" with the GDPR and ePrivacy Directive. Second, the ruling clarifies that IAB is responsible (that is, acts as joint data controller) only for processing the TC string. Last, the court found that IAB isn't responsible for further processing of data for digital advertising.

The TCF can be compared to a blockchain with consents, including for cookies and tracking devices, chained together across an advertising network using the TCF, said Drouard. The framework shows which consents a user has provided, for which purposes and to which member of the TCF, he said; that is, who can track which user device and for what purpose.

The TCF is the sole standard of this ecosystem and now the responsibility of IAB in combination with advertisers and others in the value chain has been clarified, Drouard said.

IAB is responsible for building the chain, called the "consent string," and the way it works, but use or misuse of the system is the responsibility of each individual advertiser and intermediary (called "vendors"), Drouard said.

The Market Court decision, however, doesn't clarify who's responsible if one of the vendors on the TCF misuses data. The specific responsibility of each market player must be assessed case-by-case, he added.

Being a joint data controller doesn't assume collective responsibility; instead, each controller is responsible for its use of the data, Drouard said. So far, however, DPAs have been "lazy" in distinguishing responsibility of one particular controller from another.

Asked whether the Market Court decision has relevance across Europe, Drouard noted that the Belgian court's reasoning came from the ECJ decision, so it applies across the continent.

The ruling affects businesses anywhere that gather consent collected from the TCF of IAB Europe for tracking, cookies or other advertising activities, Drouard said. Moreover, the allocation of responsibility for data misuse is an issue for any network that collects data, whether for AI, geolocation, marketing or other purposes, he added.

ICCL Challenges Microsoft's RTB Scheme

The ICCL class action against Microsoft follows an undercover investigation of data brokers, the organization noted May 26.

ICCL found that Microsoft broadcasts people's intimate relationships, finances and other secrets into its RTB advertising system, which matches ads to specific people, the organization said. ICCL accused it of exposing users to malicious profiling and discrimination and undermining European security.

The case is expected to affect the company's operations across Europe because Ireland is Microsoft's EU headquarters, ICCL said. Moreover, the decision to allow the class action extends beyond Microsoft, because Ireland is also the HQ for Google, Meta, TikTok, X and Apple, it said.

The Irish case isn't directly linked to the Belgian litigation, Brouard said. However, "I have no doubt that the allocation of responsibility between Microsoft and third parties will at some point be discussed in light of" the ECJ decision addressing that point with regard to the TCF.