The Digital Transparency Lab, works on global privacy rights as an asset locked public facing community interest infrastructure in the Digital Commons, in accordance with Convention 108+, using ISO/IEC Security and Privacy framework for digital identity management, ISO/IEC 29100 Security and privacy techniques framework, in which the terminology is interoperable with the definitions used legally in the Convention 108+ and GDPR, making it the most authority legal and technical privacy framework, implementing the 0PN: ANCR Trust Framework as sepcified by laws using standards.
This enables the TP-Scheme to be employed to make a ISO/IEC 29100 standard record, and Consent Receipt, which can be used to capture the transparency of any given technical context in a digital record and (digital) consent receipt, enabling digital privacy rights based access and control of information.
The Age Assurance technologies are able to implement the 0PN:ANCR framework to provide consent receipts when onboarding people into a service, receipt consent tokens to manage and access the data according to the legal justifications and bound technical permissions in the consent receipt;
This standardised digital privacy transparency, records and receipts bring assurance to accountability infrastructure, which has been lacking regulated transparency and consent, up until 2024, when the three required things have happened. 1. Digital Services Act came into force (consent receipt was originally in that Act), Digital Market Act Came into force March 8, and the CJEU Ruled on the commercial Transparency and Consent Framework, (that has blatantly been fake - using ' I Agree' check boxes and buttons for plain text privacy policies, effectively contracting privacy, without consent.
Regulated -
https://sd.iso.org/documents/ui/#!/doc/182c269a-8346-41ec-a4d1-b2bd9ced7a64
March 7, 2024 - CJEU Judgment in Case C‑604/22 (IAB TCF)
I have read it in its entirety, it is a strong judgment. Here are some of my thoughts:
Controllers/Joint Controllers do not have to have access to the personal data in order to be determined as a Controller/Joint Controller. It is enough that they either alone or jointly with others determine at least some of the purpose and/or means related to the processing of the Personal Data. In the IAB case, because IAB has rules for it Members on both how the preferences should be collected (in relation to the Consent Management Platforms) and how they should be used (in the case of the OpenRTB system), they are a Joint Controller (I have argued this point for years).
This doesn't just effect IAB's TCF - this effectively makes other platforms (think SaaS providers like Google Workplace, Office 365, Salesforce etc.) also Joint Controllers as they design the software in a way in which their customers have no control and as such are responsible for determining purposes and means. This brings me to another point I have been making for many, many years, in that these platforms are using Data Processing Agreements and passing themselves off as "Processors" in an attempt to reduce liability - those DPA's are, in my opinion, now invalid and should be replaced with Joint Controller Agreements.
This does not just effect web sites - the Court talks about websites and applications throughout the judgment - this means Mobile Applications, Desktop Applications and Operating Systems are *all* within scope of the judgment.
The Court ruled that any processing of the personal data after the fact (by the third parties who use the TCF and OpenRTB system) over which IAB has no control, is not conducted on the basis of IAB being a Joint Controller (this should be considered as obvious, but it is worth mentioning since it was one of the questions specifically answered by the Court).
The CJEU once again took a broad approach to the definitions supported by various recitals - making it clear that the GDPR exists to set a high standard of protection for Article 7 and 8 rights under the CFR.
The Court made it explicitly clear that the collection and use of such personal data can only be lawful on the basis of consent (no legitimate interest) which of course was always the case due to the interplay between GDPR and ePrivacy Directive (the latter of which only has consent as a legal basis and is lex specialis to GDPR).
What to expect next:
The case goes back to the Belgian Courts and will almost definitely result in the Belgian DPA's enforcement being upheld and further action against any company that continues to use the TCF system and new actions against the thousands of data brokers behind OpenRTB.