.svg)
In the Privacy Soapbox, we give privacy professionals, guest writers, and opinionated industry members the stage to share their unique points of view, stories, and insights about data privacy. Authors contribute to these articles in their personal capacity. The views expressed are their own and do not necessarily represent the views of Didomi.
Do you have something to share and want to take over the privacy soapbox? Get in touch at blog@didomi.io
Some decisions move the law forward. Others take it for a walk. Kafka wrote something pretty solid on the subject. The ruling handed down on May 14, 2025, by the Belgian Market Court in the case of IAB Europe vs the APD belongs firmly in the latter category: it annuls, but not entirely; it confirms, but hesitates; it sheds light, but through a dense administrative fog. In short, another instalment in this long-running judicial saga.
Consent, RTB and TC Strings, Season 3, Episode 14: “The Loop is More or Less Closed.”
Previously on “Consent, RTB and TC Strings”
It’s 2022. The Belgian DPA (APD) issues a severe ruling: The Transparency & Consent Framework (TCF) designed by IAB Europe is found non-compliant, a €250,000 fine is imposed, and an action plan is demanded. The decision is blessed by the DPA’s European peers in a grand ballet of one-stop-shop coordination.
The object of scandal? A small, fragile, algorithmic thing: the TC String, i.e. a string of characters encoding a user’s preferences, in other words, the sentimental DNA of the advertising click. From this shapeless, soulless sequence, the APD forged a legal totem, an almost liturgical obsession, spinning out a decision so convoluted it seemed hell-bent on never stopping to think, just endlessly reflecting on itself. Law is usually dry, a given. But here, it sweated. It perspired doctrine at every turn, panting through concepts like a bureaucrat running uphill in ill-fitting shoes. At the end of this intellectual workout, an exhausted brain-juice yielded the TCF’s condemnation.
IAB Europe, unwilling to play the penitent Ionesco of programmatic advertising, chose instead to appeal and took the matter before the Market Court, that is, the Belgian Court of Appeal.
For the brave-hearted, lovers of spiralling litigation and high-density conceptual riddles, our article retraces the earlier episodes of this saga.
Season 3, Episode 14: The May 14 ruling, or the Art of Performative Annulment
So here we are. On May 14, 2025, the Market Court delivers its long-awaited judgment. And lo and behold it annuls the APD’s decision.
Even before the ruling is published, a spectacular divergence of interpretations is already unfolding. On the right wing of the LinkedIn landscape, activists confusing legal analysis with a sun-drenched apéro in southern France belt out a sausage-fair Te Deum: “The TCF is dead!” they proclaim. The system has been declared illegal, they say, and the AdTech industry must now rebuild from scratch.
Meanwhile, on the left, or rather within the AdTech sphere itself, other voices, more discreet but no less invested, get busy debunking. The Court never declared the TCF illegal. It annulled a decision marred by procedural errors. It rejected IAB Europe’s responsibility for further processing (such as OpenRTB), and the action plan submitted to the APD remains valid, though further discussions are expected. All in all, everything seems just fine in the best of all possible frameworks.
Two narratives, two climates. One could swear they didn’t read the same decision (though honestly, who reads anything these days? The author humbly assumes no one is reading this either). The decision, incidentally, hasn’t even been officially published. That may explain some of the divergence.
So what does the ruling really say?
Far from triumphant slogans or self-congratulatory press releases, your humble narrator has laid eyes on the full text of the Market Court’s judgment. And it must be said it charts a winding, difficult path, bordering on the gauche (to borrow from Dante, because a classical literary reference always looks good). The Court endorsed certain positions of the APD, while in the same breath disavowing major parts of its reasoning.
What we really learn in that decision is three fold:
- That the TC String is personal data.
- That IAB Europe is a joint controller, as it imposes the means and purposes of processing “in a binding manner” on its members.
- That IAB Europe is not a joint controller for further processing carried out, for example, via OpenRTB by third-party AdTech companies.
To simplify: the activists applaud points 1 and 2; IAB Europe takes comfort in point 3.
In practice, this leads to the following two paragraphs in the judgment (skip if you’re in a hurry, a translation is provided below):
“Declares IAB Europe’s substantive grievances against the Contested Decision unfounded except insofar as the Contested Decision finds that IAB Europe acts as (joint) controller for the processing operations carried entirely under the OpenRTB protocol (a finding which the Market Court does not endorse).
Notes that IAB Europe has committed infringements of the following provisions: Article 5(1)(a) GDPR; Article 6; Article 12; Article 13; Article 14; Article 24; Article 25; Article 5(1)(f); Article 32; Article 30; Article 35; Article 37 — as set out in paragraph 535 of the Contested Decision, except where it relates to processing under OpenRTB.”
Translation: IAB Europe got pretty much everything wrong and failed to comply with nearly all its GDPR obligations. It’s an own goal of spectacular proportions for a non-profit. Applause all around. Clap clap clap. The onomatopoeia earned its spot here.
Thus, the activists were right after all: the TCF is brain-dead, the ad industry is on the brink of collapse, and cookie banners are destined for the museum of obsolete internet ephemera. A new digital Eden awaits, free content, minimalist interfaces, and users finally reconciled with the pure joy of reading online. Universal knowledge will finally circulate freely. And while we’re at it, surely PSG might finally win the Champions League.
Except that…
The TCF would only be illegal if (and only if) the TC String is still considered personal data.
Now, if for the sake of rhetorical sport, we temporarily ignore the fact that nowhere in the ruling does the Court declare the TCF “illegal” (which would admittedly make honest legal interpretation much simpler), another thread emerges, one that could entirely exonerate the TCF: the qualification of the TC String itself.
To recap (and one must recap, or risk drowning in one’s own prose. See again: the APD original decision) here’s the decision logic:
If the TC String is personal data, then IAB Europe is a joint controller. As such, it should have complied with the GDPR. But since IAB Europe originally considered the TC String not to be personal data, no compliance measures were taken. Hence the long list of GDPR breaches found by the Court.
This is, in legal terms, a rather banal scenario: an initial misqualification leads to a cascade of non-compliance. Lawyers around the world digest these cases every morning with their espresso.
71 pages for that — still, it’s quite something.
But here’s the key: one must pay close attention to what led the Market Court to consider the TC String personal data from IAB Europe’s perspective.
Because if today, years after this case began, the TC String is no longer personal data from IAB Europe’s point of view, then the entire legal scaffolding collapses.
In its ruling, the Court explains that the TC String is personal data for IAB because the organisation could, via its policies, obtain additional information from its members, thereby allowing it to indirectly identify individuals.
The IAB policies used to state:
“A CMP will maintain records of consent, as required under the Policies and/or the Specifications, and will provide the MO (i.e. IAB Europe) access to such records upon request without undue delay.”
That’s what led the Court to conclude:
“It is indisputable from all the aforementioned articles that, thanks to the information that its members and other organisations participating in the TCF are required to provide to it, IAB Europe has at its disposal resources that it and/or the participating organisations can reasonably be expected to use (or could use) to (in)directly identify a natural person.”
But that was then.
Since then, IAB Europe has thoroughly revised its policies. There is no longer any obligation for CMPs, publishers, or vendors to transmit any data to IAB Europe. Which makes it quite plausible that, had the Court focused on the current version of the TCF, it would not have classified the TC String as personal data from IAB Europe’s point of view. And then? No personal data, no GDPR, no joint controllership, no fine. To simplify (and we must, or collapse under the weight of legal prose) IAB Europe and the TCF would have been left out of the picture entirely.
This reading, grounded in the structural revision of IAB policies, allows us to state not with trumpets, but with high confidence that the TCF is neither banned, nor cursed, nor even examined in its current form. It has not been assessed in the light of its 2025 implementation, nor under the new governance model to come (given that an action plan has already been validated by the APD last year). This isn’t the end of the TCF. It’s the legal equivalent of an outdated review.
Provisional Conclusion: The Ball of Misunderstandings (Encore)
As activists declare the end of an era, and the AdTech industry quietly drafts compliance plans over lukewarm IPAs, a more mundane truth emerges: nothing has really been settled.
The TCF is neither sanctified nor outlawed. The APD has neither won outright nor lost completely. IAB Europe is held responsible on certain points, but escapes the heaviest charges. And like all good European series, a judicial spin-off is already in the works.
To be continued…
.avif.avif){kind=tracking}
