The Belgian Court of Appeal Rules on the IAB EU TCF

The Belgian Market Court (Court of Appeal) has finally issued its ruling regarding IAB Europe's appeal of a February 2022 Belgian Data Protection Authority (APD) decision concerning the IAB’s Transparency and Consent Framework (TCF).

The decision produced a vast range of ‘expert’ interpretations, from the Irish Council on Civil Liberties (ICCL) boldly declaring that TCF was dead, to the Belgian regulator hailing the decision as a confirmation of the authority’s long-held positions, to the IAB’s own more subdued silver-lining assessment.

So which is it? Is TCF unlawful or not?

What’s TCF Again?

The TCF has served as the consent method-of-choice, used by most organizations (80% of EU websites) to obtain consent for online tracking and data processing. TCF was designed to balance GDPR compliance with Real-Time Bidding (RTB) functionality enabling targeted advertising by tracking user behavior and sharing this data with all registered advertising vendors.

Since 2021, the TCF, and IAB Europe, as its creator, has faced legal challenges from regulators and privacy advocates, principally via IAB Europe’s lead supervisory authority, the Belgian APD. Privacy advocates like the ICCL have consistently argued that the TCF and the Content Management Platforms (CMPs) that implement TCF are “sham consent” mechanisms that fail to adequately inform users about how their data is shared throughout the RTB ecosystem. Additionally, they maintain that the Transparency and Consent Strings (TC Strings)–the digital signals which record user preferences–constitute personal data under the GDPR, with IAB Europe serving as a ‘joint controller’ responsible for their processing.

The legal process over the last few years has been complex, and progressed through multiple Belgian Courts and the European Court of Justice (CJEU). Last week the Belgian Market Court issued its ruling.

Just the Facts, Ma’am

The court’s decision contained several key determinations:

The Court annulled parts of the APD's earlier 2022 decision largely on procedural grounds, rejecting the view that IAB Europe is a joint controller with TCF participants for their processing of personal data for digital advertising purposes (namely, use as part of the OpenRTB protocol). However, it upheld the Belgian DPA’s conclusion that the TC String itself was personal data, and that the IAB was a joint controller with respect to the creation and use of TC Strings for processing user preferences within the TCF. This was in line with an earlier preliminary decision issued by the CJEU in IAB Europe v Gegevensbeschermingsautoriteit, C-604/22 (7 March 2024). 

In other words, the Court concluded that while IAB Europe is responsible for the creation of TC Strings, it is not responsible for other processing operations carried out by those participants within the larger framework of the OpenRTB protocol–i.e., how data is actually used by advertisers.

The Court confirmed that the TCF violates several GDPR provisions, including:

• Articles 5(1)(f), 25, and 32 (failure to ensure personal data are kept secure and confidential and that technical measures exist to record user preferences);
• Articles 5(1)(a) and 6 (failing to have a legal ground for recording user preferences via the TC String);
• Articles 12-14 (failure to provide adequate transparency about data processing activities and categories of personal data).

The Court also affirmed that IAB Europe specifically infringed GDPR relating to its responsibilities as a data controller. Namely:

• Article 24 (controller accountability); 
• Article 30 (failure to maintain a compliant record of processing activities); Article 35 (no data protection impact assessment in relation to TC Strings); and Article 37 (failure to appoint a Data Protection Officer).

Despite annulling parts of the original APD decision on procedural grounds, the Court did maintain the €250,000 fine levied by the APD against IAB Europe.

So, why All the Differing Interpretations?

From IAB Europe's Perspective:

IAB Europe views the ruling as a positive development that “brings legal certainty” and confirms their “limited role” in the TCF. They have emphasized that the Court rejected joint controllership for broader OpenRTB data processing activities. IAB Europe has already proposed changes to accommodate this “limited controllership” as part of an action plan submitted to and validated by the APD in 2023.

What Privacy Advocates' Think:

Privacy advocates such as the ICCL interpret the ruling as further confirmation that the consent system in the EU deceives users and that “tracking-based advertising has no legal basis.” They view this as a landmark decision that puts an end to Big Tech’s use of the GDPR as a “daily nuisance rather than a shield for people.”

So What Does it Mean for Businesses Using TCF?

The ruling only touched on an earlier implementation of the TCF (TCF 2.0). But after the earlier Belgian and CJEU pronouncements in 2024, the IAB began working directly with the Belgian regulator on a new and improved TCF that addresses the authority’s concerns, particularly around joint controllership. Following validation of their action plan by the Belgian DPA in January 2023, many necessary changes were implemented in TCF Version 2.2 in May 2023, with only a few minor adjustments remaining.

IAB Europe has promised in its press statement to implement the remaining changes from their action plan “quickly to ensure compliance with the Market Court's ruling.” With the remediation work already underway and tacit approval by the Belgians, it’s a strong bet that this newer framework will continue to operate during this transitional compliance period as IAB Europe works to fully align with remaining GDPR requirements.