Summary + thoughts on the CJEU’s answer to the 1st question (“is the TC String personal data?”) in the IAB Europe & TCF case (C-604/22). [I may be biased]
– 33: CJEU data protection Directive case law is “in principle” also relevant for the GDPR, “given that this directive was withdrawn by and replaced by the GDPR, of which the relevant provisions in question have the same scope as the relevant provisions of that directive
– 37: Information is personal data if “as a result of its content, its purpose or its effect, it is linked to an identifiable person” (C-487/21)
– Re “identifiable” requirement, ref to Breyer (C-582/14) and C-683/21 => personal data that could be attributed to a natural person by way of additional information must be deemed as information relating to an identifiable natural person
– “Identifiable” requires taking into account all means “reasonably likely” to be used for identification (recital 26 of the GDPR)
– It doesn’t only cover personal data collected and stored by the controller but also all information “resulting from a processing of personal data that concern an identified or identifiable person” (C-579/21)
So far, OK.
– Re TC String itself:
(i) 43: “it contains the individual preferences of a specific user regarding his consent to the processing of personal data concerning him” and thus “relates to a natural person
(ii) 44:�”when the information contained in a TC String are associated with an identifier, such as the IP address of the device of such a user, they can enable the creation of a profile of said user and effectively identify the person specifically concerned by such information
=> debatable
(iii) 45: “Inasmuch as the fact of associating a string composed of a combination of letters and characters, such as the TC String, with additional information, notably with the IP address of a user or with other identifiers, enables identification of that user”, the TC String must be considered as “containing information relating to an identifiable user
(iv) 46 & 47: the fact that “IAB Europe cannot itself combine the TC String with the IP address of the device of a user” and does not have access directly to the data processed by its members in the framework of the TCF does not change this conclusion, *because of para. 40* => reference to Breyer re means reasonably likely to be used
(v) 48 & 49: �in practice there is access anyway� & biggest wrong assumption – allegation that IAB Europe can get access to “all information enabling it to identify users whose data are subject to a TC String” (wrong) – but up to the referring court to check
(vi) Conclusion: TC String = personal data
=> The key reasoning is therefore that it is personal data because there are allegedly means reasonably likely to be used to get additional data (48 & 49) and the combination with such additional data enables identification (44).
Next stop: Market Court – to challenge those assumptions!
Q2: https://lnkd.in/emSUFmQh
privacy
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗