Synthetic Law

The ECJ will decide on the TCF (soon)

Sep 18, 2023

A quick reminder for the #AdTech and #MarTech community.

Case C-604/22 at the European Court of Justice is moving forward. Today at 9:30 the EU's top court will hear the parties. A judgment in this case, expected in 2024, will undoubtedly set the stage for personalized advertising in the EU.

To recap the questions posed by the referring court in Brussels:a) Must Article 4(1) of Regulation (EU) 2016/679 1 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, read in combination with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a character string that captures the preferences of an Internet user in connection with the processing of his or her personal data in a structured and machine-readable manner constitutes personal data within the meaning of the said provision in respect of (1) a sectoral organisation which makes available to its members a standard whereby it prescribes to them how that string should be generated, stored and/or distributed practically and technically, and (2) the parties that have implemented that standard on their websites or in their apps and thus have access to that string?

(b)    Does it make a difference in that regard if the implementation of the standard means that this string is available together with an IP address?

(c)    Does the answer to questions 1(a) and 1(b) lead to a different conclusion if this standard-setting sectoral organisation does not itself have legal access to the personal data that are processed within this standard by its members?

(a) Must Articles 4(7) and 24(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, read in combination with Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, be interpreted as meaning that a standard-setting sectoral organisation must be classified as a controller if it offers its members a standard for managing consent which contains, in addition to a binding technical framework, rules setting out in detail how those consent data – which constitute personal data – must be stored and disseminated?

(b)    Does the answer to question 2(a) lead to a different conclusion if this sectoral organisation itself does not itself have legal access to the personal data that are processed within this standard by its members?

(c)    If the standard-setting sectoral organisation must be designated as a controller or a joint controller for the processing of Internet users’ preferences, does that (joint) responsibility of the standard-setting sectoral organisation therefore automatically extend to the subsequent processing by third parties for which the Internet users’ preferences were obtained, such as targeted online advertising by publishers and vendors?