Belgian court limits IAB Europe's role in TCF framework

After a lengthy legal battle, the Belgian Market Court has issued a significant ruling regarding IAB Europe's responsibilities within the Transparency and Consent Framework (TCF). This decision, announced on May 14, 2025, clarifies IAB Europe's position as a joint controller for specific data processing activities while limiting the scope of its responsibilities.

The Belgian Market Court has confirmed that IAB Europe is a joint controller, but only for the specific purpose of processing TC Strings within the TCF framework. The Court annulled portions of the Belgian Data Protection Authority's (GBA) original February 2022 decision that suggested IAB Europe was also jointly responsible for subsequent processing operations carried out entirely under the OpenRTB protocol.

This judgment follows a March 2024 ruling from the Court of Justice of the European Union (CJEU) which had established that TC Strings constitute personal data and that IAB Europe could be considered a joint controller for certain processing activities.

The Court upheld most of the GBA's findings of GDPR violations and maintained the €250,000 fine imposed on IAB Europe. The organization is still required to implement various corrective measures to bring the TCF into compliance with data protection regulations.

Understanding the TCF and its purpose

The TCF was developed by IAB Europe to help digital advertising stakeholders comply with GDPR requirements when using real-time bidding (RTB) systems. It provides a standardized framework for gathering and storing user consent preferences regarding personal data processing for advertising purposes.

When users visit websites implementing the TCF, a Consent Management Platform (CMP) interface appears, allowing them to express preferences regarding data collection and processing. These preferences are then encoded in a TC String, which is shared with participating vendors and publishers.

The Court determined that IAB Europe exercises decisive influence over both the purposes and means of TC String processing within the TCF. As the managing organization that created the framework, IAB Europe establishes binding rules for participants and can suspend or exclude organizations that fail to comply.

Key GDPR violations upheld

The Market Court confirmed that IAB Europe violated several GDPR provisions:

1. Articles 5.1.a and 6: Failing to establish a valid legal basis for processing user preferences within the TCF
2. Articles 12, 13, and 14: Not providing transparent information to data subjects about how their data is processed
3. Articles 24, 25, 5.1.f, and 32: Not implementing adequate technical and organizational measures to ensure data security and protection by design
4. Article 30: Not maintaining a complete register of processing activities
5. Article 35: Failing to conduct a data protection impact assessment
6. Article 37: Not appointing a Data Protection Officer despite the scale and nature of data processing activities

Implications for the digital advertising ecosystem

This ruling has significant implications for organizations operating within the TCF ecosystem. While IAB Europe's joint controllership is now limited to TC String processing within the TCF itself, publishers, CMPs, and vendors must still ensure their data processing activities comply with GDPR requirements.

The Court emphasized that all TCF participants share responsibility for ensuring proper implementation of the framework and protecting user data. This distributed accountability model means that each organization in the chain must take appropriate measures to safeguard personal data and respect user preferences.

Organizations implementing the TCF should review their data protection practices in light of this ruling, particularly regarding transparency, security measures, and the legal basis for processing personal data.

Timeline

• February 2, 2022: Belgian DPA (GBA) issues decision finding IAB Europe to be a joint controller and imposing corrective measures and a €250,000 fine
• March 4, 2022: IAB Europe appeals the decision to the Belgian Market Court
• September 7, 2022: Market Court issues interlocutory judgment referring preliminary questions to the CJEU
• March 7, 2024: CJEU rules that TC Strings constitute personal data and that IAB Europe can be considered a joint controller
• May 14, 2025: Belgian Market Court delivers final judgment, confirming IAB Europe's limited joint controllership