Why the “TCF is illegal” claim is incorrect (and why both sides are saying opposite things):
1. The claim for joint controllership of IAB Europe over further processing (and OpenRTB in particular) was denied. This is significant. Some plaintiffs expressed their disappointment with the CJEU’s position on this during a conference at the VUB (Free University of Brussels) last year.
2. The Market Court (MC) did not rule that there was anything inherently illegal with the TCF, it only said that _in version 2.0 of the TCF_ (it explicitly excluded v2.2 from its assessment) there were some infringements by IAB Europe, _but_ not as regards further processing*.
Which ones? It refers to a list prepared by the Belgian DPA (BDPA), but that also covers further processing (excluded by the MC):
(i) Art. 5(1)(a) & 6 GDPR (BDPA explanation: no legal ground for the recording of user preferences in the form of a TC String, and legitimate interest can’t be used for OpenRTB processing)
(ii) Art. 12/13/14 GDPR (BDPA: need for more information re categories of personal data processed and re scope & consequences of processing)
(iii) Art. 24/25/5(1)(f)/32 GDPR (BDPA: need for additional measures to safeguard the integrity of TC Strings and to ensure that users’ preferences are observed, and data subjects had to be able to exercise their rights vis-à-vis all joint controllers – referring to IAB Europe, CMPs** and publishers)
(iv) Art. 30 GDPR (no ROPA of IAB Europe mentioning the processing of TC Strings by joint controllers)
(v) Art. 35 GDPR (no DPIA by IAB Europe in relation to TC String creation & processing by joint controllers)
(vi) Art. 37 GDPR (no DPO of IAB Europe)
* The MC’s references to processing “entirely in the context of OpenRTB” clearly mean all further processing, based on the context and the contradictions the MC points out in the BDPA’s decision re joint controllership over further processing.
** CMPs act as processors. Not as controllers. This is again a misunderstanding by the BDPA.
3. What comes next then? The BDPA validated an action plan and an implementation period to comply with its orders, and much was already implemented through TCF v2.2. The outstanding points had more to do with IAB Europe’s potential controllership.
So declaring “TCF is illegal” based on the MC ruling is wrong. TCF v2.2 covers much of what the BDPA wanted, and the rest will come once the action plan implementation period resumes. And the MC excludes further processing anyway.
Finally, all of this hinges on TC Strings being personal data – and the MC’s finding that they _are_ is really based on _one_ line of the v2.0 policies. And that line isn’t in TCF v2.2, which was launched in May 2023.
My earlier post on what the MC actually decided: https://lnkd.in/e8A-ysCV
Data protection GDPR privacy adtech
Did this analysis get you thinking? Reach out!
DataLaws.net is entirely open-access, and instead of getting your data in exchange for this content, how about another trade? If this commentary saved you research time or sparked an idea, feel free to invite me over for tea, chai or a hot chocolate next time you are around Brussels or Antwerp - or invite me over to your offices for a chat!
Get in touch ↗ Let's connect on LinkedIn ↗