On October 2022, the Court of Justice of the European Union (CJEU) handed down the judgment of Case C-129/21, ruling on certain aspects of the publishing and sharing of data subjects' contact details in public electronic telephone directories or directory inquiry services. In a nutshell, drawing on the Directive 2002/58/EC (e-Privacy Directive)¹ read together with the Regulation (EU) 2016/679 (GDPR),² the CJEU ruled that (a) the "consent" of the subscriber of a telephone service provider is required in order for that subscriber's personal data to be listed in publicly available subscriber directories and directory inquiry services published by other providers, which consent may be given either to the telephone service provider concerned or to one of those other providers, (b) a subscriber's request to remove his or her personal data from publicly available subscriber directories and directory assistance services constitutes an exercise of the "right to erasure" within the meaning of this Article 17 of the GDPR, (c) data controllers shall take appropriate technical and organizational measures to inform other data controllers, namely the telephone service provider that supplied it with the personal data of its subscriber and the other providers of publicly available directories and directory inquiry services to which it has itself supplied such data, of the withdrawal of that subscriber's consent, and (d) a provider of publicly available subscriber directories and directory assistance services, from whom the subscriber of a telephone service provider has requested that the personal data concerning him cease to be published, shall take "reasonable steps" to inform search engine providers of that request for deletion of data.³

Although the decision was taken in the context of public electronic telephone directories and directory inquiry services, it may have a great impact on other contexts in which consent-based activity promotes the transfer of personal data along a chain of processing agents to enable one specific purpose, as is the case of Real Time Bidding (RTB) ecosystem. RTB is normally quoted as "the world's most widespread fully automated sales system for online ad space and, at the same time, a prime example of data-driven online marketing".⁴ It is a method of buying and selling online advertising in real-time, which (a) allows advertisers to bid on ad space on a website or app in real-time, as users are visiting the site or app, (b) enables advertisers to target specific audiences, such as users who have previously visited their website, and (c) enhances the chance of advertisers to bid on inventory that is most likely to result in a conversion. This process is facilitated by ad-exchanges⁵ and demand-side platforms (DSPs),⁶ which connect all the other actors involved (namely the advertisers that pay for advertising space, the publishers who offer advertising slots on their websites or apps, and consent management platforms (CMPs), which show sophisticated "cookie banners'' that publishers employ to interact with both users and technologies embedded on their websites and apps)⁷ and determine advertising placement by algorithmic systems.⁸

Imagine that a user accesses the website of a musical instrument store and gives consent for advertising. This store, on its website, enabled the Google ad-network scripts (e.g. the double-click network, integrated with Google Analytics). At that moment, the user is already being profiled by Google based on the consent given to the musical instrument store. Both are already aware of the user's interest in musical instruments. In addition, this same instrument store is also an advertiser and uses the Google network for remarketing, that is, to serve new advertisements on third-party platforms to other users. This advertising may now be published on third-party websites to any user that has the same interest in musical instruments.

But how, on a third-party site, does the ad network identify that the user accessing the page at that moment is the same user who was at the musical instrument store before? Upon receiving the visit to the page, this third party triggers a bid request for the advertising space. And that request includes the personal data of the visitor who is on the page at that time. This could include data such as IP, user-agent information, or the Google User Identifier (in the case of the Google ad network). It is based on this information that the instrument store competes for advertising space to run its remarketing, since the personal data circulating in the bid-offer allows advertisers to know that it is a target profile. For that reason, "a single RTB request can result in personal data being processed by hundreds of organizations".⁹ The RTB system depends on the circulation of personal data in the chain so that advertisers can identify the profile of who is accessing the page whose advertising space is up for auction at that moment.        

In fact, there are many similarities in how users' personal data are disclosed and accessed in the public directories maintained by telecommunications companies and the functioning of the RTB,¹⁰ especially how personal data is processed within data processing chains related to online advertising. For that reason, some consequences over the legal basis of processing, data subject rights, and other obligations of the actors playing within the RTB environment are to be expected.

Concerning the legal base of RTB processing, the consequences are obvious. The specialized literature claims consent is the only appropriate legal basis for RTB activities.¹¹ As a rule, a lawful base cannot be shared between controllers, even if their processing activities are aligned, in a way that each controller within the chain must assure their processing is made under valid consent regarding their activities.¹² Nevertheless, according to CJEU's decision in Case C-129/21, the initial consent could be used for the same purpose by other controllers within the chain, regardless of specific consent given to the processing of the subsequent controllers (in the decision, other providers of telephone directories), so that the key point here is the identity of the purposes of the processing.

At first glance, the same logic could be applied to the processing of RTB activities within the same chain. As the CJEU specified, it follows from a contextual and systematic interpretation of Article 12(2) of the e-Privacy Directive, in which "consent" refers to the purpose of publishing personal data in a public directory and not to the identity of a particular directory provider.¹³ It seems to be also clear that the processing of personal data by RTB actors is under the material scope of the e-Privacy Directive,¹⁴ once (a) RTB can be defined as an electronic communications service (ECS), (b) this service is offered over an electronic communications network,¹⁵ and (c) the service and network are publicly available.¹⁶ Therefore, based on the grounds of the decision in Case C-129/21, controllers are authorized to transfer to other controllers personal data collected and processed for the purpose of profiling users and advertising, without the need for specific consent regarding each controller within the same RTB chain of processing. In the example given above, regarding a user's consent to receive musical instrument advertisements, Google and all possible controllers within the processing chain are authorized to process the user's personal data for the purpose of sending musical instrument advertisements to this user.

Concerning the data subject rights and the obligations of the controller,¹⁷ the decision of the CJEU has also some important impacts on RTB activities. First, since the RTB processing of personal data must be consent-based, the controller who first obtained consent for advertising purposes has a duty to adequately inform the data subject about all aspects related to the processing that will or may be carried out with their personal data as a consequence of his or her consent (with whom and how their data will be shared, for what purposes, what are the consequences subscriber's consent, how can subscriber's consent be revoked, what are subscriber's rights and how can they be exercised, etc.). Second, considering the nature of RTB and that a bid can go out to thousands of bidders at an auction under a second via automated means, the controller will have no direct control over where any data is transferred. There is no way to tell whether any transferred data is transient for the bid, or is stored for use by the data recipient. In theory, this control is made under the Transparency and Consent Framework (TCF),¹⁸ but this technology is currently unable to effectively control it.¹⁹ Taking the given example of musical instruments store, consent would be easier to manage to Google, but under TCF it would be near impossible. This means that the bigger tech players may have been granted market dominance by the Court decision and arguably the users of the TCF cannot lawfully meet the requirements of the GDPR. Third, despite falling mainly on the first controller, the other controllers within the chain are not free from the obligations imposed generally on all controllers, such as transparency, data minimization, data accuracy, data deletion, etc.

In addition, the first controller in the chain must take all necessary technical and organizational measures to inform subsequent controllers within the chain of processing about the withdrawal of the subscriber's consent. Moreover, as a consequence of the CJEU decision, the first controller shall also take "reasonable steps" to inform the other controllers within the processing chain of any user's request for the deletion of personal data (right to erasure). In the example of the consent given to a musical instrument store to send advertisements, once consent is revoked by the user or he exercises his right to erasure, this store has a duty to inform all controllers with whom it has shared the user's personal data with the aim of sending targeted advertising about the impossibility of continuing processing activities.

Thus, in the case of the musical instrument store, once the consent for advertising is revoked, this will not modify the profiling already carried out in the chain of the ad network. Revoking cookies from the store and refraining from further activations of the double-click network does not remove the profiling already carried out by Google. Similarly, for those who auction advertising space, the withdrawal of consent does not change the profiling already carried out by other controllers who receive bid requests, which often contain unique identifiers. Considering these factors, the controller receiving the consent revocation demand should adopt its best efforts to propagate this information along the chain, so that active profiles in subsequent layers are reassessed and, if applicable, removed.

In summary, the CJEU decision on Case C-129/21 has a big impact on RTB activities, given the similarities between the processing carried out by controllers along the respective processing chain and the processing carried out by telecommunication companies in the publishing and sharing of data subjects' contact details in public electronic telephone directories or directory inquiry services. First, since consent is the appropriate legal basis for processing in both situations, the first controller is authorized to transfer to other controllers personal data collected and processed for the purpose of profiling users and advertising, without the need for specific consent regarding each controller within the same RTB chain of processing. Second, the original controller must be able to control data transferred within the chain, which is not possible under the current technology. Third, the same first controller has a main duty to adequately inform the data subject about all aspects related to the processing that will or may be carried out with their personal data. Fourth, the first controller in the chain must take all necessary technical and organizational measures to inform subsequent controllers within the chain of processing about the withdrawal of the subscriber's consent and take "reasonable steps" to inform the other controllers within the processing chain of any user's request for the deletion of personal data (right to erasure). 

References

CJEU Case C-129/21 Proximus NV ECLI:EU:C:2022:833.

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37-47.

Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (Recast), OJ L 321 17.12.2018, p. 36ss.

EDPB, 'Opinion 05/2019 on the interplay between e-Privacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities', 12 March 2029 (Version 1.0), par. 26. Available here: Last checked: 24 Jan 2023.

Herbrich T and Niekrenz E, 'Privacy Litigation Against Real-Time Bidding - Data-driven online marketing: Enforcing the GDPR by protecting the rights of individuals under civil law' (2021) 22(5) Computer Law Review International 129.

James Hercher, 'The TCF - IAB Europe's GDPR Workaround - Got shot down by Belgium's DPA, with six months to fix it. Available here. Last checked: 24 Jan 2023.

ICO, 'Update report into adtech and real time bidding ', 20 June 2019, p. 20. Available here. Last checked: 24 Jan 2023.

Reed Smith, 'Another adtech blow: IAB TCF held to breach GDPR - what's next?`. Available here. Last checked: 24 Jan 2023.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1-88.

Veale M and Borgesius FZ, 'Adtech and Real-Time Bidding under European Data Protection Law' (2022) 23(2) German Law Journal 226.

Veale M, Nouwens M and Santos C, 'Impossible Asks: Can the Transparency and Consent Framework Ever Authorise Real-Time Bidding After the Belgian DPA Decision?' [2022].

__________

*This paper was originally presented as a final paper for the course "Digital Trust: ePrivacy and the Protec-tion of Personal Data in Electronic Communications" within the Advanced Master in "Privacy, Cyberse-curity, Data Management, and Leadership" of the University of Maastricht, under the supervision of professors Karolina Podstawa and Christopher Mondschein.

1 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37-47.