CNIL (France) - SAN-2022-025
CNIL - Délibération SAN-2022-025 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 4(11) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 10.03.2021 |
Decided: | 29.12.2022 |
Published: | |
Fine: | 8,000,000 EUR |
Parties: | Apple Distribution |
National Case Number/Name: | Délibération SAN-2022-025 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | French |
Original Source: | CNIL (in FR) |
Initial Contributor: | n/a |
The French DPA fined Apple Distribution International €8,000,000. Apple used its advertising identifiers on Apple devices without prior consent from French users, in violation of Article 82 of the French Data Protection law.
English Summary
Facts
On March 10 2021, the French DPA received a complaint against Apple (controller) regarding the iOS and MacOS operating systems. According to the complaint, there was a setting called ‘personalised adds’ in the settings of Apple devices which was activated by default. This did not allow data subjects to validly consent to targeted advertising. Subsequently, the DPA carried out multiple investigations into the controller. (11 – 12) The investigation was limited to iOS version 14.6, the controller’s operation system for iPhones. During the investigation, The DPA found that part of the controllers processing was the ‘search ads’ service, which was used to personalize ads in the Apple App Store. This service allowed developers to promote their application based on different criteria, such s device type, age and gender. If this ‘search ads’ service was enabled in the iPhone settings, the ads displayed to the data subject in the app store would be personalized. If this setting was disabled, data subjects would receive an ad which was not personalized. (38-39). The technical workings involving this function were described in three stages by the DPA. The first stage was the data collection. When a data subject would create an Apple account to operate the iPhone, a technical identifier called the ‘directory services identifier’ (DSID) would be created on the controller’s service and would be assigned to the data subjects users account. When a user would subsequently browse the app store, the activity logs of the data subject would be associated with this DSID. If the ‘search ads’ service was enable as well, the controller would use this collected data to provide personalized ads. Specifically, the controller would place data subjects in a segment of at least 5000 users with similar characteristics. (41-43) The second stage was the creation of identifiers which were specifically meant at promoting mobile applications in the app store. These identifiers would be created locally on the device. One of these was the ‘device pack identifier’ (DPID), which was synchronized via iCloud in order to ensure that all devices of the same user have this same DPID and the iADID, which was specific to each device. (44) The third stage related to the display of personalized adds. When a user would search for an application in de App Store, the device would send a request to the controllers Ad Platform service. This request would contain the following information: the word searched for, the DPID, the iADID and any segments the data subject would be placed in (see first stage) The controller had two French subsidiaries called Apple France and Apple Retail France. In the context of the ‘search ads’ service, Apple France employed “search ads specialists’, which had to provide assistance to app developers when they were using Apple’s advertising platform and better target the relevant audience. (71 – 73)
Holding
Material competence of the French DPA This decision was based on a violation of Article 82 of the French Data Protection Act, which was itself a national implementation of Article 5(3) if the ePrivacy Directive. (36) In order to determine if this directive was applicable, the DPA investigated the existence of read - or write operations with regard to the different identifiers that Apple used for the personalised adds function. The DPA concluded that the controller was reading and/or writing with regard to these cookies on devices of data subjects. (48 – 57) The DPA also discussed the difference between the ePrivacy directive and the GDPR, since the controller had argued that the GDPR was applicable and the Irish DPA was competent. The DPA stated that reading/writing operations on a terminal were governed by Article 82 of the French Data Protection act, for which the French DPA was the competent authority. The processing with any collected personal data with these identifiers would fall under the GDPR and possibly the ‘one stop shop mechanism’. The DPA referred to its decision of 28 January 2022 and stated that because of the reading and/or writing operations of the controller, this decision fell within the competence of the French DPA. The GDPR and the one stop show mechanism were not applicable here. The DPA also specified that this decision only contained the controllers reading/writing operation, and not any subsequent processing. (59-62) Territorial competence of the French DPA In order to assess if the controller was territorially competent to handle this decision under Article 3 of the Data Protection Act, two criteria had to fulfilled: (1) the controller needed to have an establishment on French territory, which was the case according to the DPA. The controller had two French subsidiaries, Apple France and Apple Retail France. (2) There needed to be processing which was carried out in the context of activities of this establishment. (66) For assessing if personal data was being processed in the course of activities of an establishment, the DPA referred another one of its earlier decisions (AMAZON EUROPE CORE of 27 June 2022). The DPA stated that personal data could be processed in the course of an establishments activities when this establishment merely carried out the promotion and sale of advertising space in order to make the services offered by the controller profitable. The promotion and sale operation had to be carried out on the territory of a member state and the processing of the controller had to consist of collecting personal data by means of connection trackers installed on the devices of data subjects. In the same decision, the DPA also mentioned that this criterion was also fulfilled when the activity consisted of the promotion and marketing of advertising tools using identifiers. (70) The DPA considered that this second criterion was also fulfilled. Every iPhone sold in France contained the App Store which included the controller’s identifiers. Therefore, Apple Retail France’s activity contributed to the fact that people who own an iPhone could access the App store and carry out searches, which would result in them being personalized by the identifiers. Apple France retail was therefore a promotor of the iOS operating system. (71) With regard to the other subsidiary, Apple France, the DPA noted that it employed search ads specialists who would assist developers with their ad campaigns. (72) Therefore, the DPA concluded that there was a indissociable link between the activities of these subsidiaries and the reading/writing operations regarding the identifiers used by the controller. (73)
On the violation of Article 82 of the Data Protection Act
Exception applicable? The DPA explained that Article 82 of the Data Protection Act requires the controller to ask consent of data subjects if it was reading/writing information to the user’s device, which the controller was doing in this decision. There were however two exceptions to this consent-requirement: if the sole purpose of the identifier was to facilitate communication by electronic means or when the identifier is strictly necessary for the provision of an online communication service at the express request of the data subject. (95) If an identifier had more than one purpose, for example providing communication AND advertising, the controller could only use the cookie for advertising when it had obtained prior consent from the data subject for this specific advertising purpose. (96) The DPA therefore determined it necessary to assess the purposes of the different identifiers used by the controller. (97) The DPA concluded that none of the identifiers were exclusively intended to allow or facilitate communication by electronic means, nor were they strictly necessary for the provision of an online communication service at the express request of the user. Therefore, neither of the exceptions in Article 82 of the Data Protection Act were applicable, and the controller had to obtain consent (Article 4(11) GDPR) before using the identifiers. (99) Consent obtained? The DPA reiterated that the controllers advertising setting was enabled by default on the iPhone. Therefore, the users did not have the change to consent to the controller targeted adverting operation (103) The consent option also came in too late in the phase of the user getting used to the phone. The option to consent to this personalized adverting was also not integrated in the phone’s setup process and that the setting was buried too deep in the iPhone’s settings. According to the DPA, it took a large number of steps to get to this setting. (104) The DPA also considered that the controller was implementing processing on a large scale (given the market position of iOS) and stated that the targeting was based on people’s interests and lifestyle habits. Therefore, data subjects should be provided the option to give valid consent, which was not the case here. Therefore, the DPA determined that the controller violated Article 82 of the Data Protection Act. The DPA added that the controller had provided a new consent box in its new version of the operating system, iOS 15, which fixed the shortcomings of iOS 14.6. However, this was not enough to call the existence of breaches relating to iOS 14.6 into question. After considering several mitigating and aggravating factors, the DPA fined the controller 8,000,000.
Comment
An Apple spokesperson told Politico that the company was disappointed with the decision and will appeal: https://www.politico.eu/article/apple-fined-e8-million-in-privacy-case/
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.