EU: Brussels Court of Appeal rules on IAB Europe and the TC String – Implications for GDPR Compliance

By Heidi Waem, Verena Grentzenberg & Luca Sawatzki on June 11, 2025

Posted in Adtech, General Data Protection Regulation

On 14 May 2025, the Brussels Court of Appeal (Market Court) delivered the long-awaited judgement in the case concerning the Transparency & Consent Framework (“TCF”) (case no. 2022/AR/292). The Court largely upheld the findings of the Belgian Data Protection Authority (“Belgian DPA”), concluding that the TCF’s use of the Transparency and Consent String (“TC String“) fails to fully comply with the General Data Protection Regulation (“GDPR”). This decision followed a preliminary ruling of the Court of Justice of the European Union (“CJEU”) in March 2024 (case no. C-604/22) (see our previous blog post).

Background

IAB Europe is a non-profit association that represents the digital advertising and marketing sector at the European level. It developed the TCF to standardize the way online publishers, advertisers, and other participants in the ad-tech ecosystem collect user consent for data processing in accordance with the GDPR.

The TCF is widely applied in the context of a real-time auctioning system used to acquire advertising space for the display of targeted advertisements online. A key component of the TCF is the TC String.

The TC String is a combination of letters and characters which encodes and records user preferences through consent management platforms (“CMPs”) when users visit a website or app. The TC String is then shared with ad platforms and other participants of the ad-tech ecosystem; the CMP also places a specific cookie on the user device. When combined, the TC String and this cookie can be linked to the user’s IP address.

In February 2022, the Belgian DPA decided that:

the TC String constitutes personal data under Art. 4(1) GDPR,
IAB Europe qualifies as a controller under Art. 4(7) GDPR, and
the TCF, as implemented, did not meet certain GDPR requirements (for details see our previous blogpost).

IAB Europe appealed the decision, and in the course of proceedings, the Brussels Court of Appeal referred several key legal questions to the CJEU. In March 2024, the CJEU confirmed that:

the TC String may constitute personal data under Art. 4(1) GDPR if it can be combined with other data to identify a user.
IAB Europe can, under certain circumstances, be considered a controller under Art. 4(7) GDPR.
IAB Europe is not automatically a controller for further processing activities by third parties if it does not determine the purposes or means of those processing activities (for details see our previous blogpost).

Findings of the Brussels Court of Appeal

The Brussels Court of Appeal partially annulled the Belgian DPA’s original €250,000 fine against IAB Europe —but solely on procedural grounds. Substantively, the Court confirmed the Belgian DPA’s main findings.

The key rulings include:

Personal Data Classification: in line with the CJEU, the Court confirmed that the TC String qualifies as personal data when combined with additional identifying information such as the user’s IP address.
Controller Status: the Court agreed that IAB Europe acts as a (joint) controller within the meaning of Art. 26 GDPR for processing operations within the TCF. However, IAB Europe was found not to be a controller for processing activities conducted solely within the OpenRTB protocol framework, over which it has no control.
GDPR Violations Identified:
- IAB Europe failed to establish a valid legal basis under Art. 6(1) GDPR for processing personal data via the TC String. In particular, legitimate interest under Art. 6(1)(f) GDPR could not be relied upon, as the necessity of the processing was not demonstrated.
- Lack of Transparency: the framework failed to provide users with clear and accessible information, in violation of Art. 12–14 GDPR.
- No Data Protection Impact Assessment (“DPIA”): a DPIA required under Art. 35 GDPR was not conducted.
- Additional Violations: the Court found further infringements of Art. 5(1)(f), 25, 32, and 37 GDPR, concerning data security, privacy by design, and data protection officer obligations.

Conclusion

At first glance, the judgement provides important guidance on the compliance of IAB Europe when implementing the TCF.

However, it remains to be seen what the consequence of the judgement will be. It is worth noting that the judgment applies specifically to TCF versions 1.0 and 2.0. The currently deployed version – TCF 2.2 – was not subject to review in this case. Whether future implementations of the TCF will satisfy GDPR requirements remains an open question and may be subject to future regulatory scrutiny. Many of the points criticized have already been rectified in the version 2.2 of the TCF. The remaining uncertainty concerns the fact of whether and under which circumstances IAB Europe can qualify as a (joint) controller in relation to the TC String in its current version. This largely depends on whether IAB Europe has real decision-making power over the purposes and means of processing.

Moreover, the question of whether an individual company is in breach of GDPR when using the TCF remains a matter for national data protection authorities to decide on a case-by-case basis.