On the 7th March 2024, the Court of Justice of the European Union (‘the CJEU’) issued a judgment (IAB Europe – C-604/22) on the relationship between the Transparency and Confidentiality String (‘the TC String’), under IAB Europe’s Transparency and Confidentiality Framework (‘TCF’), and personal data within the meaning of the General Data Protection Regulations (‘the GDPR’). This judgement also has a significant bearing on the interpretation of the GDPR notions of joint controllership and identification.
The CJEU states that the TC String contains information concerning an identifiable user, meaning that it constitutes personal data per the GDPR. Where the information contained in a TC String is associated with an identifier such as the IP address of the user’s device, a profile of the user in question might be created, making the identification of said user easy to obtain.
On whether IAB Europe must be regarded as a ‘joint controller’ per GDPR, in the CJEU’s view, IAB Europe exerts influence over data processing operations by recording the consent preferences of users in a TC String and by determining the purposes of those operations and the means behind them. However, IAB Europe cannot be regarded as a controller within the meaning of the GDPR, in respect of data processing operations occurring after the consent preferences of users are recorded in a TC String, where the determination of the purposes of those operations is not influenced.
Furthermore, since the TC String contains individual preferences of a specific user regarding his/her consent to process personal data, the GDPR notion of natural persons is triggered. Since the TC String involves a string of letters and numbers, with the additional information in the form of IP address of the device of the user and other identifiers, the identification of said user in question is enabled. The Court stated that, even though ‘IAB Europe cannot itself combine the TC String with the IP address of the device of a user’ and even if it does not have access directly to the data processed by its members in the TCF, this stance does not change. Regard should be had to all means reasonably likely to be used, such as signalling out, either by the controller or by another person, to identify the natural person directly or indirectly, when determining whether he/she is identifiable.
The Court concluded that IAB Europe has all reasonable means to identify a natural person from a TC String, constituting personal data, but this is just an assumption and is up to the referring court to determine, and that the combination with such additional data enables identification. The CJEU found that the scope of Article 4(1) of the GDPR was intentionally wide, and in line with existing case law on the matter, where it was possible that the individual could be identified, then the data was personal albeit in this instance the said article was applied in a wider scope than cases like Breyer.
Undoubtedly this ruling in particular the extended definition of personal data will have an impact on all digital processing in the EU as well as any data used by or for AI including LLMs and generative AI for commercial purposes.
Need assistance? GTG is here to help! Contact Dr Ian Gauci for further information.