Peter Craddock is a lawyer with a software development background, offering a unique blend of legal and technical knowledge. Based in Brussels, Peter is a prominent voice, notably in the adtech and digital advertising space and on ePrivacy evolutions. Peter helps drive innovation and optimise data utilisation across the EU and beyond. His strategic counsel and legal support span the critical domains of privacy and data protection, data governance, AI governance, cybersecurity, e-commerce, digital transformation, and software contracting. His dual background as a lawyer and software developer uniquely equips him with the ability to analyse the possibilities offered by data protection laws and emerging technologies through a multifaceted lens.
The Market Court decision is out in the IAB Europe / TCF vs Belgian DPA case, and its conclusion is nuanced (as one of the few to have truly read the judgment, trust me on this):
(i) TC Strings are (were?) personal data under TCF 2.0,
(ii) IAB Europe is (was?) joint controller regarding TC Strings,
(iii) IAB Europe is not joint controller regarding further processing.
From campaigners & the press you'll see soundbites like "the TCF is illegal" (despite this not appearing anywhere in the judgment), "the BDPA decision is upheld" (despite the BDPA's decision being actually annulled) - the truth is much more interesting.
(i) "TC Strings are personal data": the Market Court / MC reaches this decision on the basis of the idea that IAB Europe allegedly has means reasonably likely to be used by IAB Europe or TCF participants to identify a natural person (in)directly, thanks to the information that TCF participants and IAB Europe members have to provide to IAB Europe [read para. 47 of the judgment once published].
This was based on one (misinterpreted) line in the TCF v2.0 policies that was about providing evidence of consent.
The policies were adapted a while ago, so does this mean this conclusion is irrelevant going forward? Maybe!
Lesson for others: re-draft your policies to remove any risk of misinterpretation.
(ii) "IAB Europe is a joint controller for the TC Strings": the MC's reasoning here should be a warning to anyone wishing to set a standard. Despite explanations about the governance system, the open-source nature of the specifications etc., the MC held that IAB Europe is the one who “imposes” this processing of personal data “in a binding manner” upon TCF participants; that it is a central body” that “makes certain processing of personal data happen with decisive influence” (referring to the size of certain board members of IAB Europe).
Is there a real purpose for processing belonging to IAB Europe? The MC says the shared purpose of the processing of TC Strings is "ensuring that user preferences are captured in a structured manner and are subsequently shared with all other participants". That's not a data processing purpose - that's describing the process itself.
Not very convincing, but worrying for other standard-setting organisations, as it suggests that the very something your standard describes is your purpose (?).
(iii) "IAB Europe isn't joint controller re further processing"
Confirmation of what the CJEU suspected - though the MC focusses inexplicably on OpenRTB, despite explanations that there is more to further processing than OpenRTB.
Nowhere does the MC say that the TCF is illegal - in fact, it confirms the sanctions of the BDPA's decision (what that will mean to the "further processing" parts of implementation is a bit weird), which were all about showing how the TCF can meet the BDPA's requirements. And the action plan that had been submitted in that respect was validated by the BDPA.
