Are internet standard developing organisations data controllers under the GDPR?

In 2022, the Belgian Data Protection Authority (DPA) issued a fine against IAB Europe. It held this industry association for online advertising liable for multiple violations of the General Data Protection Regulation (GDPR) in relation to the Transparency and Control Framework (TCF). This technical standard is used by most Consent Management Platforms (CMPs) deployed on websites available from Europe. It generates a machine-readable expression of user preferences with regards to online privacy, transmitting to all stakeholders' servers taking part in the display of online advertisements. This is meant to ensure that no identifiers are stored on user devices, thus no personal data are processed, prior to any user consent. The Belgian DPA's qualification of IAB Europe as a joint controller in the operation of this standard, which has been confirmed in January 2024 by the European Union's Court of Justice, could be a significant development generating major implications for the whole internet governance ecosystem, object of the examination conducted in this contribution. However, the specifics of this case mean that it can hardly apply to all internet standard developing organisation.