Following Luxembourg’s explanation, the Belgian Court of Appeal will decide on the matter.
advertisementIAB Europe’s online advertising model uses personal data and is therefore subject to the General Data Protection Regulation (GDPR), the EU Supreme Court in Luxembourg revealed today (7 March).
The European Court of Justice (ECJ) decision follows IAB Europe’s challenge to a 2022 decision by the Belgian data protection authority that the real-time bidding model for advertising did not comply with European Union privacy rules. It was issued in response to The Belgian Court of Appeal subsequently sought clarification on the issue in Luxembourg.
IAB Europe, the association representing digital advertising and marketing companies, has built a system that allows brokers and platforms to bid for advertising space in real time based on website user profiles. It encodes the user’s preferences and places a cookie on the user’s device so that the bidder knows what the user has consented to.
However, the Belgian privacy watchdog said IAB Europe had failed to provide users with accurate information about the use of their data, forcing the company to establish a legal basis for data processing and to use a real-time bidding system. He said he had ordered strict scrutiny of the organization. Make sure you meet GDPR requirements. The company was also ordered to pay a fine of 250,000 euros.
The ECJ said today that the IAB’s model “contains information about identifiable users and therefore constitutes personal data within the meaning of the GDPR.”
“The information contained in a transparency and consent string, particularly when associated with an identifier such as the IP address of a user’s device, may allow us to create a profile of that user and potentially identify him or her. ”, it said in a statement.
The ECJ’s clarification means the case will be returned to the Belgian Court of Appeal.
cookie
The ruling comes as the European Commission aims to present a so-called “cookie pledge” at a consumer summit in April. This voluntary commitment ensures that users receive specific information about how their data will be processed and the consequences of accepting different types of cookies. Users therefore have more control over the processing of their data.
The next review of the GDPR, which came into force in 2018, is expected to take place in mid-2024. Last year, the commission also proposed new legislation to strengthen cross-border cooperation between data protection authorities. New rules to ensure stronger enforcement of GDPR (europa.eu)
The highest fine to date for breaching the GDPR was imposed in Ireland. In 2023, the Irish data protection authority ordered Meta to pay a €1.2 billion fine for transferring data collected from Facebook users in the EU to the US. Mehta appealed.
Subscribe here to stay up to date on the latest EU policy developments with our weekly newsletter ‘The Policy Briefing’. Weekly insights into European rule-making, policy issues, key events and data trends.
