CNIL (France) - SAN-2022-025

From GDPRhub
CNIL - Délibération SAN-2022-025
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(11) GDPR
Type: Complaint
Outcome: Upheld
Started: 10.03.2021
Decided: 29.12.2022
Published:
Fine: 8,000,000 EUR
Parties: Apple Distribution
National Case Number/Name: Délibération SAN-2022-025
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: n/a

The French DPA fined Apple Distribution International €8,000,000. Apple implemented its advertising identifiers on Apple devices without prior consent from French users, in violation of Article 82 of the French Data Protection Act.

English Summary

Facts

On March 10 2021, the French DPA received a complaint against Apple ('provider' or 'the company') regarding the iOS and MacOS operating systems. According to the complaint, there was a setting called ‘personalised ads’ in the settings of Apple devices which was activated by default. Subsequently, the DPA carried out multiple investigations into the company.

The investigation was limited to iOS version 14.6, Apple’s operating system for iPhones. During the investigation, the DPA found that part of the companies processing was the ‘search ads’ service, which was used to personalize ads in the Apple App Store. This service allowed developers to advertise their application in the App Store based on different criteria, such as, but not limited to, device type, age and gender. If the 'personalised adds’ function was enabled in the iPhone settings, the ads displayed to the data subject in the App Store would be personalized using this data. If this setting was disabled, data subjects would receive an ad which was not personalized.

The technical workings of the 'personalised adds' setting was analysed by the DPA based on information provided by Apple. The DPA stated that the setting involved multiple identifiers which were created on the data subject's iPhone and the companies servers at different stages of using the phone and setting it up. The identifiers served different purposes related to advertising in the App Store.

Apple had two French subsidiaries called Apple France and Apple Retail France. In the context of the ‘search ads’ service, Apple France employed “search ads specialists’, which had to provide assistance to app developers when they were using Apple’s advertising platform in order to target the relevant audience.

In its defence, the company had, among other things, argued that the French DPA was not competent in this case. Apple argued that the GDPR was applicable and that the Irish DPA was instead the competent authority under the one stop shop mechanism.

Holding

Material competence of the French DPA

This decision revolves around advertising identifiers that made Apple's advertising ecosystem possible. Such identifiers essentially operate like tracking cookies. Therefore, the French DPA focused on a possible violation of Article 82 of the French Data Protection Act, which in turn implements Article 5(3) of the ePrivacy Directive into the French legal framework. This provision requires the company (rectius, the service provider) to seek the user's previous consent in order store or access information on the terminal equipment of the user. Thus, in order to determine if Article 82 was applicable, the DPA investigated the existence of read - or write operations with regard to the different identifiers that Apple used for offering personalised adds. The DPA concluded that Apple was reading and/or writing with regard to these identifiers on devices of data subjects.

The DPA also discussed the difference between the ePrivacy directive and the GDPR. The DPA stated that the reading/writing operations in this decision were covered by Article 82 of the French Data Protection act which operates as lex specialis to the GDPR and therefore takes precedence over the general Regulation. Hence, the French DPA found itself materially competent under French law with regard to such reading and writing operations (i.e. the installation and access to Apple's mobile advertising identifiers). This obviously does not rule out the GDPR application for the subsequent processing of personal data collected using these identifiers. However, this decision did not concern any subsequent processing but only the reading/ writing operations. Therefore, the GDPR and the 'one stop shop' mechanism were not applicable here.

Territorial competence of the French DPA

In order to assess if the DPA was territorially competent to handle this decision under Article 3 of the Data Protection Act, the DPA assessed if Apple fulfilled the following two criteria:

(1) the provider needed to have an establishment on French territory, which was the case according to the DPA. Apple had two French subsidiaries, Apple France and Apple Retail France.

(2) There also needed to be processing which was carried out in the context of activities of an establishment. The DPA referred to another of its decisions (AMAZON EUROPE CORE of 27 June 2022). The DPA stated in this decision that the processing could be in the 'context of the activities of an establishment' when this establishment merely provided the promotion and sale of advertising space to make the provider's services profitable, when the provider's processing was carried out on the territory of a member state and entailed collecting personal data with advertising trackers. In this Amazon decision, the DPA also mentioned that this criterion was fulfilled when the activity entailed the promotion and marketing for advertising tools of the provider, which primarily operate with personal data collected with the use of advertising trackers. (See points 10 and 15 of this Amazon decision - link to original decision in French).

The DPA considered that this second criterion was fulfilled in this decision. Every iPhone sold in France contained the App Store, which came with the companies identifiers. Therefore, the establishment Apple Retail France helped data subjects owning an iPhone accessing the App store and carry out searches, which would result in these data subjects being personalized by the identifiers. With regard to the other subsidiary/establishment, Apple France, the DPA noted that it employed 'search ads specialists', who assisted app-developers with their ad campaigns. Therefore, the DPA concluded that there was a clear link between the activities of Apple's subsidiaries and the reading/writing operations regarding the identifiers used by Apple.

Did the provider violate Article 82 of the Data Protection Act?

The DPA explained that Article 82 of the Data Protection Act required the provider to ask consent of data subjects if it was reading/writing information to the user’s device. There were however two exceptions to this consent-requirement. The provider did not have to obtain consent if the sole purpose of the identifier was to facilitate communication by electronic means or when the identifier was strictly necessary for the provision of an online communication service at the express request of the data subject. If an identifier had more than one purpose, for example providing communication and advertising, the provider could only use the identifier for advertising when it had obtained prior consent from the data subject for this specific advertising purpose. The DPA therefore determined it necessary to assess the purposes of the different identifiers used by Apple.

The DPA concluded that none of the companies identifiers were exclusively intended to allow or facilitate communication. They were also not strictly necessary for the provision of an online communication service at the request of the user. Therefore, none of the exceptions in Article 82 of the Data Protection Act were applicable, and Apple had to obtain consent (Article 4(11) GDPR) before using the identifiers.

The DPA reiterated that the companies advertising setting was enabled by default on the iPhone. Therefore, data subjects could not give consent Apple's targeted adverting operation. The option to consent to this personalized adverting was also not integrated in the iPhone’s setup process. Besides that, the DPA also stated that the setting was buried too deep in the iPhone’s settings. According to the DPA, it took a large number of steps to get to this setting. The DPA also considered that Apple was implementing processing on a large scale (given the market position of iOS) and stated that the targeting was based on interests and lifestyle habits. Therefore, data subjects should be provided the option to give valid consent, which was not the case here. Therefore, the DPA determined that the company violated Article 82 of the French Data Protection Act.

The DPA added that Apple had provided a new consent box in its new version of the operating system, iOS 15, which fixed the shortcomings of iOS 14.6. However, this was not enough to mitigate the existence of breaches relating to iOS 14.6. After considering several mitigating and aggravating factors, the DPA fined Apple €8,000,000.

Comment

An Apple spokesperson told Politico that the company was disappointed with the decision and will appeal: https://www.politico.eu/article/apple-fined-e8-million-in-privacy-case/

The status of the ePrivacy directive as Lex Specialis to the GDPR has been confirmed in EDPB Opinion 5/2019 (see paragraph 35)

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the restricted formation n°SAN-2022-025 of 29 December 2022 concerning the company APPLE DISTRIBUTION INTERNATIONAL

The Commission nationale de l'informatique et des libertés, meeting in its restricted formation composed of Mr Alexandre LINDEN, chairman, Mr Philippe-Pierre CABOURDIN, vice-chairman, Mr Alain DRU and Mr Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and the free movement of such data (RGPD);

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to Law No. 78-17 of 6 January 1978 on information technology, files and freedoms, in particular Articles 20 et seq;

Having regard to Decree No. 2019-536 of 29 May 2019 taken for the application of Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms;

Having regard to Deliberation No. 2013-175 of 4 July 2013 adopting the internal rules of procedure of the Commission nationale de l'informatique et des libertés;

Having regard to Decision No. 2021-113C of 17 May 2021 of the President of the Commission nationale de l'informatique et des libertés to instruct the Secretary General to carry out or have carried out the verification of the compliance of the processing of personal data implemented in the context of the use of the iOS (formerly "iPhone OS") and MacOs operating systems with the provisions of Law No. 78-17 of 6 January 1978 on data processing, files and freedoms, as amended, and of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ;

Having regard to the decision of the President of the Commission nationale de l'informatique et des libertés appointing a rapporteur before the restricted formation, dated 10 January 2022;

Having regard to the report of Mr François PELLEGRINI, rapporteur commissioner, notified to the company APPLE DISTRIBUTION INTERNATIONAL on 27 July 2022;

Having regard to the written observations submitted by APPLE DISTRIBUTION INTERNATIONAL on 19 September 2022;

Having regard to the rapporteur's reply to these observations, notified to APPLE DISTRIBUTION INTERNATIONAL on 19 October 2022;

Having regard to the new written observations submitted by APPLE DISTRIBUTION INTERNATIONAL on 21 November 2022, as well as the oral observations made during the meeting of the restricted panel on 12 December 2022;

Having regard to the other documents in the file;

Having regard to the other documents in the file; The following were present at the meeting of the restricted formation:

- Mr François PELLEGRINI, Commissioner, heard his report;

As representatives of APPLE DISTRIBUTION INTERNATIONAL :

- [...] ;

APPLE DISTRIBUTION INTERNATIONAL having had the floor last ;

The restricted formation adopted the following decision:

I. Facts and procedure

1. The APPLE Group (APPLE INC. and its subsidiaries, collectively the "APPLE Group") designs, manufactures, and markets mobile communications and media devices, personal computers, and sells a range of software, services and peripherals, networking solutions, digital content, and third-party applications in connection with these products.

2. The APPLE Group's products, which include the iPhone (a multi-functional mobile phone), each come with a specific pre-installed operating system designed within the APPLE Group (iOS for the iPhone).

3. The APPLE Group sells and delivers its digital content and applications through its online application shops, which are the App Store, the iTunes Store, the iBooks Store and the Mac App Store.

4. APPLE INC. generally holds, directly or indirectly through intermediary entities, interests in all subsidiaries of the group. These include APPLE DISTRIBUTION INTERNATIONAL LTD (hereinafter "ADI"), APPLE FRANCE, APPLE RETAIL FRANCE and APPLE EUROPE INC (hereinafter "AEI").

5. ADI is located at Hollyhill Industrial Estate, Cork, Ireland and employs approximately [...] employees. It describes itself as the entity responsible for the sales and distribution of APPLE Group products in Europe. It also considers itself to be the controller of personal data relating to the activity of the APPLE group's advertising platforms in the European Economic Area.

6. For the year 2021, ADI has a turnover of approximately USD [...], which is approximately EUR [...] (at the current exchange rate).

7. APPLE FRANCE is located at 7, place d'Iéna in Paris (75116) and has approximately [...] employees. It does not sell or distribute products in France. Its role is to support the sales and marketing of products marketed by ADI to distribution partners in the French market, under a "sales and marketing support service contract" in force since 1 October 2018.

8. APPLE RETAIL FRANCE is located at 3-5, rue Saint-Georges in Paris (75009). Its role is to sell and distribute APPLE group products in France.

9. AEI, which has its registered office in the State of Delaware, United States of America, has a branch in France with the same name (AEI), whose registered office is located at 7 place d'Iéna in Paris (75116).

10. AEI, which is based in the State of Delaware, United States of America, has a branch in France with the same name (AEI), whose registered office is located at 7 place d'Iéna in Paris (75116).

11. On 10 March 2021, the Commission Nationale de l'Informatique et des Libertés (hereinafter "the CNIL" or "the Commission") received a complaint against APPLE from the association FRANCE DIGITALE. The complaint concerns the processing carried out by the APPLE group through its iOS and MacOs operating systems. The complaint states that the privacy setting "Personalised ads" in the settings of devices marketed by the APPLE group and running on the iOS and Mac OS operating systems is activated by default, which does not allow users to validly consent to advertising targeting.

12. Two online monitoring missions on devices running the iOS and MacOS operating systems were conducted on 8 and 16 June 2021.

13. Official reports No 2021-113/1 and No 2021-113/2, drawn up by the delegation on the day of the checks, were notified to ADI and AEI on 24 June 2021. On this occasion, requests for additional information were sent to them. ADI replied by emails dated 5 and 12 July 2021. On the other hand, in emails dated 30 June and 8 July 2021, AEI stated that it was not in a position to respond to the delegation's requests, as it did not play a "decisive role in the processing operations subject to the audit".

14. A documentary inspection was also carried out at ADI, AEI and APPLE FRANCE on 13 July 2021. These companies sent their response to the CNIL by e-mail on 25 August 2021. In emails dated 31 August 2021, APPLE FRANCE and AEI completed these responses by sending, each for what it is concerned, the register of processing operations implemented. On this occasion, a request for additional information was sent to ADI, which replied by e-mail dated 5 October 2021.

15. Finally, an on-site inspection at the premises of APPLE FRANCE was carried out on 13 October 2021 in order to obtain further information on its relations with ADI, on the activity of employees holding the position of "Search Ads Platform Specialists" or "Search Ads Platform Specialists Managers" and on the operation of the "Apple Search Ads" service.

16. 16. Report No. 2021-113/3, drawn up by the delegation on the day of the inspection, was notified to APPLE FRANCE and ADI on 19 October and 14 December 2021 respectively. On this occasion, a request for further information was sent to APPLE FRANCE, which replied by e-mail on 25 October 2021.

17. 17. A request for further information was sent to ADI by letter dated 15 November 2021, to which it replied by e-mail dated 17 November and 3 December 2021.

18. By e-mail dated December 7, 2021, the CNIL sent a new request for additional information to ADI, which responded by e-mail dated December 22, 2021.

19. For the purposes of investigating these elements, the Commission's President appointed Mr François PELLEGRINI as rapporteur on 10 January 2022, on the basis of Article 22 of the amended Act of 6 January 1978.

20. In an email dated 18 February 2022, ADI requested a hearing in order to explain to the rapporteur the context of the complaint lodged by the association FRANCE DIGITALE and to provide information about the framework in which technical operations are carried out on mobile terminals running the iOS operating system.

21. 21. The rapporteur having responded favourably to this request, the company's hearing took place on 16 March 2022 at the CNIL premises.

22. 22. Minute No. CTX-2021-106 drawn up at the end of the hearing was notified to ADI by e-mail on 17 March 2022. The communication of additional documents was again requested by the CNIL.

23. On 30 March, 12 April and 3 June 2022, ADI sent the requested documents to the CNIL.

24. On 27 July 2022, the rapporteur notified the company of a report proposing that the restricted panel impose an administrative fine of six million euros for failure to comply with Article 82 of Law no. 78-17 of 6 January 1978 on information technology, files and freedoms (hereinafter "the Information Technology and Freedoms Law"), which he considered to have been committed in this case. It also proposed that this decision be made public, but that it should no longer be possible to identify the company by name after two years from its publication.

25. 25. On 29 July 2022, the company requested an additional period to submit its comments in response.

26. On 4 August 2022, the chairman of the restricted panel rejected this request.

27. On 19 September 2022, the company submitted its observations in response to the sanction report.

28. On 19 October 2022, the rapporteur sent his reply to the company's observations.

29. On 24 October 2022, the company requested an additional period to submit its second observations in response.

30. On 26 October 2022, the chairman of the restricted panel rejected this request.

31. On 21 November 2022, the company submitted new observations in response to those of the rapporteur.

32. On 22 November 2022, the rapporteur informed the company and the chairman of the restricted formation of the closure of the investigation. On the same day, the chairman of the restricted panel sent a notice to attend the meeting of the restricted panel on 8 December 2022.

33. On 23 November 2022, the company requested a postponement of the panel meeting.

34. On 24 November 2022, the chairman of the restricted panel granted this request and set the date of the meeting for 12 December 2022.

35. The rapporteur and ADI presented oral observations at the meeting of the restricted panel.

II. Reasons for the decision

A. On the competence of the CNIL

1. On the material competence of the CNIL and the applicability of the "one-stop shop" mechanism provided for by the RGPD

36. Under the terms of Article 82 of the Data Protection Act, which constitutes the transposition into domestic law of Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, "any subscriber to or user of an electronic communications service must be informed in a clear and comprehensive manner, unless he or she has been informed in advance, by the controller or his or her representative of 1° Of the purpose of any action intended to access, by electronic transmission, information already stored in his electronic communications terminal equipment, or to write information in this equipment; 2° Of the means available to him to oppose it.

Such access or recording may only take place on condition that the subscriber or user has expressed, after having received this information, his consent, which may result from the appropriate parameters of his connection device or any other device under his control. [...] ".

37. The rapporteur considers that the CNIL is materially competent to monitor and initiate a sanction procedure concerning the writing and/or reading of information implemented by ADI, i.e. on users' terminal equipment and which fall within the scope of the ePrivacy Directive.

38. It notes that the information provided by the company shows that this processing is part of the service implemented by ADI, called "Search Ads", for the purpose of personalising ads on the App Store. This allows developers to promote their application to users on the App Store based solely on the following criteria: "device type" (iPad, iPhone or both), "customer type" (new, old or all existing users), "demographic profile" (gender and age range), "location" (city, region or country) and "campaign planning" (start and end date of an advertising campaign).

39. If the setting for receiving targeted advertising in the App Store is enabled in the iPhone settings, the user will see applications promoted through the "Search Ads" service at the top of the search results. Conversely, if this setting is not activated, users will still receive an ad, which will not be personalised but contextual, depending on the search performed.

40. 40. To achieve this, the rapporteur notes that the company has set up a "technical architecture" that operates in several stages.

41. The first stage relates to data collection: when the Apple user account (commonly referred to as the "Apple Id") is created, a technical identifier called the "directory services identifier" (hereinafter "DSID") is assigned to each user account. The DSID is created on the company's servers. It is used, among other things, to access iCloud and the content, information and services associated with the Apple user account.

42. When browsing the App Store, the user's activity log (i.e., the fact that the user searches, downloads or purchases applications from the App Store), as well as the information that the user has entered in his or her Apple ID account (i.e., the user's year of birth, gender and location), is collected and associated with this DSID on Apple's "Apple Media Platforms" (hereinafter "AMP") servers.

43. If the setting for receiving targeted advertising in the App Store is enabled, this data is used to determine the segments to which a user will be assigned and, therefore, the advertisements that the user will receive. A "segment" is a group of at least 5,000 users who share similar characteristics and who have the setting for receiving targeted advertising in the App Store enabled in the iPhone settings.

44. The second step relates to the creation of identifiers specific to the personalisation of ads aimed at promoting mobile applications on the App Store: in order to avoid the distribution and measurement of advertising content involving the use of the DSID, the user's device will generate locally on the user's terminal two other identifiers:

- on the one hand, the "device pack identifier" (hereinafter the "DPID") which is synchronised via iCloud in order to ensure that all devices of the same user have the same DPID;

- on the other hand, the iADID, which is specific to each device and does not require synchronisation via iCloud.

45. Finally, the third step relates to the display of personalised ads on the user's device: when the user searches for an application in the App Store, his device sends an ad request to the Ad Platforms servers containing the word searched for, the DPID, the iADID and the identifiers relating to the segments concerning him, so that they can determine the targeted advertisement to be displayed first (all these elements being available locally on the terminal, the process avoids the possibility that the Ad Platforms servers can identify the Apple account associated with each request) The iADID can also be used to count the number of "ad impressions" made on a device, i.e. the number of times a given ad is displayed.

46. In view of these elements, the rapporteur maintains, on the one hand, that the company carries out read and/or write operations on users' terminals in order to authenticate the DSID of a user account registered as active on Apple's servers for the purpose of personalising advertisements intended to promote mobile applications on the App Store and, on the other hand, that the company performs a read operation of the DPID and the iAdId (as well as the list of segments associated with the person previously written in the terminal by the AMP servers) in the users' terminals during the requests sent to the Ad Platforms servers.

47. 47. In its defence, the company maintains that the processing for the purposes of personalising ads on the App Store that it implements is carried out either on its servers and does not fall within the scope of the CNIL's investigations, or on users' terminals solely for the purposes of "secure user authentication" or "protection of privacy" and therefore constitute operations falling within the exemptions from the collection of consent provided for in Article 82 of the Data Protection Act.

48. To examine the question of the material existence of read or write operations, the restricted formation considers that a distinction must be made between the DSID and the DPID/iAdId.

a. On read and/or write operations related to the DSID

49. In its defence, the company first acknowledges that "information is stored on a single Apple device to securely authenticate its user in connection with an Apple account DSID on Apple's servers" but states that this "information is not [...] used for advertising purposes". The company goes on to say that "searches performed in the App Store by users are necessarily followed by operations that allow Apple to return the search results to the device used. However, the operations in this context are not performed to create segments for advertising purposes, but simply to provide the service requested, i.e. the App Store. Finally, the company states that "all information used by Apple to create the segments described in comment #1 for the purpose of personalising ads is stored and maintained on Apple's servers".

50. The Panel first notes that it is clear from these elements that the company does not deny that it writes information on users' terminals in order to authenticate the DSID of a user account registered as active on Apple's servers.

51. Next, the Panel notes that although the company maintains that no information is stored and/or read on users' terminals in order to assign segments to them, it is nonetheless able to identify all requests relating to searches in the App Store to Apple's servers as coming from a single terminal associated with a specific account.

52. The Panel also notes in this regard that, when asked about this mechanism at the hearing on 16 March 2022, the company stated that "When the user searches the App Store and downloads applications or performs transactions through this platform, his activity is recorded by the server of the said platform and is associated with his 'directory services ID' (DSID), which is the technical identifier relating to the APPLE user account of the user (a DSID corresponds to an APPLE ID). Moreover, during the hearing, the DSID was presented as "essential to securely authenticate an Apple terminal and account". The restricted formation also notes that the rapporteur described the processing at issue, indicating in particular that "the DSID is the technical identifier relating to the user account of each user and allows the connection to be maintained when the user browses the various Apple services" and that this point was not contested by the company. It is clear from these elements that "information", which is then attached to the DSID, is read from the user's terminal in order to associate his downloads and the results of his searches with his Apple account.

53. Accordingly, the Panel considers that the company is reading and/or writing information on users' terminals to authenticate the DSID of a user account registered as active on Apple's servers.

b. On the operations of reading the DPID and the iAdId on the user's terminal

54. In its defence, the company acknowledges that "technical measures, such as 'storage' and 'access' operations on the terminal [...] are intended to replace the DSID with the DPID, in order to avoid linking the user's identity (the DSID) to the relevant segments applicable to that user", in accordance with the obligation of data protection by design provided for in Article 25 of the RGPD. With regard to the DPID, however, it specifies that this replacement operation is only taking place to protect "the privacy of its users". With regard to the iAdId identifier, it states that it "does not allow any tracking and is only used as a privacy-enhancing identifier in the context of statistical measurements".

55. The restricted formation recalls again that the only action aiming at accessing information already stored in a user's terminal equipment located in France entails the application of Article 82 of the Data Protection Act.

56. The restricted formation therefore considers that if the replacement of information attached to the DSID by third party identifiers (DPID and iAdId, which are generated directly by the user's telephone) has the advantage of avoiding the distribution of the DSID to APPLE's "Ad Platforms" dedicated to advertising (and therefore of breaking the link between the identifier and the identity of the person concerned), The fact remains that these two new identifiers (as well as the list of segments associated with the person previously written in the terminal by the AMP servers) are subsequently read in the user's terminal when requests are made to the Ad Platforms servers. They are in fact used during the stages relating to the selection and distribution of advertisements intended to promote targeted applications on the App Store, as well as for counting the number of times an advertisement is displayed on a device (measurement of "advertising impressions"), which therefore implies access to information already stored in the user's terminal equipment.

57. Consequently, the restricted formation considers that the company proceeds to a reading operation of the DPID and the iAdId (as well as the list of segments associated with the person previously written in the terminal by the AMP servers) in the user's terminal during the requests sent to the "Ad Platforms" servers.

c. On subsequent processing and the applicability of the "one-stop shop" mechanism provided for by the RGPD

58. In its defence, the company argues that the writing and/or reading of identifiers that take place on the user's terminal equipment when using the App Store and the subsequent use of the data collected by these identifiers for the purposes pursued by the controller are indissociable. Thus, the company considers that "the rapporteur does not respond to the analysis [...] according to which the CNIL would not be competent under the GDPR". It states that the operations aimed at assigning segments to a given user take place on the APPLE group's AMP servers and not on the user's terminal, "provided that an Apple device has authenticated itself to the server". It deduced that "this processing can therefore only be "further processing" carried out after any "reading" or "storing" operation carried out for authentication". Consequently, the company considers that, insofar as the CNIL has initiated a sanction procedure against it concerning only the operations of writing and/or reading identifiers that take place on the user's terminal equipment when they use the App Store, it is not justified in mobilising, in its demonstration, elements related to the processing subsequent to these operations, in this case the activities carried out subsequently on Apple's servers which do not "consist of storing or accessing information on the user's device. It considers that these processing operations do not fall under Article 82 of the Data Protection Act but under the RGPD and that, insofar as its principal place of business is located in Ireland, the competence to initiate such a procedure would lie with the Irish data protection authority, the lead authority under Article 56 of the RGPD, which is competent to implement the cooperation mechanism between supervisory authorities, known as the "one-stop shop" mechanism, provided for in Chapter VII of the Regulation.

59. The restricted formation recalls, first of all, that a distinction must be made between, on the one hand, reading and writing operations on a terminal, which are governed by the provisions of Article 82 of the Data Protection Act and for which the French legislator has entrusted the CNIL with a supervisory role and, in particular, with the power to sanction any infringement of this article, and, on the other hand, the use of a terminal for the purposes of data protection, on the other hand, the subsequent use of the data produced or collected through these operations, which is governed by the RGPD and may therefore, if necessary, be subject to the "one-stop shop" mechanism.

60. It then recalls that the Conseil d'Etat, in its decision Société GOOGLE LLC and Société GOOGLE IRELAND LIMITED of 28 January 2022, confirmed that the control of operations of access or registration of information in the terminals of users in France of an electronic communications service, even when proceeding from cross-border processing, falls within the competence of the CNIL and that the one-stop-shop system provided for by the RGPD is not applicable: "no provision has been made for the application of the so-called "one-stop shop" mechanism applicable to cross-border processing, as defined in Article 56 of this Regulation, for the implementation and control measures of Directive 2002/58/EC of 12 July 2002, which fall within the competence of the national supervisory authorities by virtue of Article 15a of that Directive. It follows that, as far as the control of operations of access and recording of information in the terminals of users in France of an electronic communications service is concerned, even if they are the result of cross-border processing, the measures for controlling the application of the provisions transposing the objectives of Directive 2002/58/EC fall within the competence conferred on the CNIL by the law of 6 January 1978 [...(CE, 10th and 9th joint chambers, 28 January 2022, GOOGLE LLC and GOOGLE IRELAND LIMITED, n° 449209, pt. 12). The Council of State reaffirmed this position in a ruling of 27 June 2022 (CE, 10th and 9th joint chambers, 27 June 2022, AMAZON EUROPE CORE, No. 451423).

61. Finally, the restricted formation notes that although the rapporteur's writings contain references to the consequences of writing and/or reading information on users' terminals in order to authenticate the information attached to the DSID of a user account as well as that of the DPID and the iAdId for Internet users, they do not contain any analysis of the compliance with the RGPD of the subsequent processing of personal data carried out on the basis of the data collected by means of these trackers. Only the reading and/or writing operations of the DPID, DSID and iAdId identifiers and their purposes will be analysed to determine whether Article 82 of the French Data Protection Act is applicable.

62. Consequently, the restricted panel considers that the CNIL is competent to monitor and initiate a sanction procedure concerning the processing operations implemented by the company falling within the scope of the ePrivacy Directive, provided that the processing operation falls within its territorial jurisdiction.

2. On the territorial jurisdiction of the CNIL

63. Under the terms of paragraph I of Article 3 of the Data Protection Act, which sets out the rule for the territorial application of the requirements set out in Article 82 of the Data Protection Act:

"Without prejudice, as regards processing falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, to the criteria provided for in Article 3 of that Regulation, all the provisions of this Act shall apply to the processing of personal data carried out in the context of the activities of an establishment of a controller or processor on French territory, whether or not the processing takes place in France. "

64. The rapporteur considers that the CNIL is territorially competent in application of these provisions since the processing subject of the present procedure, consisting of operations of reading and/or writing information in the mobile terminals of users residing in France when using the App Store, is carried out in the "framework of the activities" of the companies APPLE RETAIL FRANCE and APPLE FRANCE, which constitute the "establishment" of ADI on French territory, which are involved in the promotion and marketing of ADI's products and their advertising solutions in France.

65. 65. In its defence, the company contests the territorial jurisdiction of the CNIL insofar as there is no "indissociable link" between the activities of APPLE RETAIL FRANCE and the processing at issue. The company considers in this sense that "the simple sale of computer hardware does not create [...] a link with the processing operations carried out by the software present on this hardware". It therefore considers that the second criterion for territorial application of the Data Protection Act, provided for in Article 3(1), is not met, namely that the processing in question is carried out "in the context of the activities of this establishment". Similarly, with regard to APPLE FRANCE, ADI also considers that the territorial jurisdiction of the CNIL is not established. It maintains that there cannot be an "indissociable link" between the activities of APPLE FRANCE and the processing at issue insofar as "the hiring of the 'Search Ads Specialists' in France" has not resulted in a significant difference in income and that they do not carry out an "activity of promotion and marketing of advertising tools".

66. The restricted formation recalls that under Article 3 of the Data Protection Act, the CNIL is competent to exercise its powers when the two criteria provided for in this article are met, in this case, the existence of an establishment of the data controller on French territory and the existence of processing carried out in the context of the activities of this establishment.

67. As regards, firstly, the existence of an establishment of the controller on French territory, the Court of Justice of the European Union (CJEU) stated in its Weltimmo judgment of 1 October 2015 that "the concept of 'establishment', within the meaning of Directive 95/46, extends to any real and effective activity, however minimal, carried out by means of a fixed establishment", the criterion of stability of the establishment being examined in the light of the presence of "human and technical resources necessary for the provision of the specific services in question". The CJEU considers that a company, an autonomous legal person, of the same group as the controller, may constitute an establishment of the controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C-131/12, pt 48).

68. In the present case, the panel notes that APPLE RETAIL FRANCE and APPLE FRANCE are both subsidiaries of APPLE INC and have permanent premises located in France. It also notes that APPLE FRANCE employs approximately [...] people. Consequently, APPLE RETAIL FRANCE and APPLE FRANCE each constitute an establishment of ADI within the meaning of Article 3 of the Data Protection Act.

69. Secondly, with regard to the existence of processing carried out in the context of the activities of that establishment, the restricted formation recalls that it is not necessary for the processing at issue to be carried out "by that establishment" (CJEU, 13 May 2014, Google Spain, C-131/12, pt. 57), i.e. by the companies APPLE RETAIL FRANCE or APPLE FRANCE, as data controllers, and that it is sufficient that one and/or the other of these establishments facilitates or promotes sufficiently the deployment in the French territory of the processing of personal data implemented by the data controller established in another Member State (the company ADI) for there to be an obligation to comply with the law territorially applicable in France and to base the competence of the national supervisory authority.

70. In this sense, the restricted panel notes that, in its decision AMAZON EUROPE CORE of 27 June 2022, the Conseil d'État recalled that "it follows from the case law of the Court of Justice of the European Union, in particular from its judgment of 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (C-210/16), in the light of the objective pursued by that directive [the e-Privacy Directive] of ensuring effective and comprehensive protection of the fundamental rights and freedoms of natural persons, in particular the right to the protection of privacy and the protection of personal data processing of personal data may be regarded as being carried out "in the course of the activities" of a national establishment not only if that establishment is itself involved in carrying out that processing, but also if the latter merely carries out, on the territory of a Member State the promotion and sale of advertising space in order to make profitable the services offered by the controller of a processing operation consisting in collecting personal data by means of connection tracers installed on the terminals of visitors to a site" (EC, 10th and 9th chambers, 27 June 2022, AMAZON EUROPE CORE, No. 451423, pt. 10). The Council of State considered in the same decision that this was the case when the activities of the controller's establishment consisted of the promotion and marketing of advertising tools controlled and operated by the controller, which functioned in particular thanks to the data collected through connection tracers deposited on the terminals of users of the site operated by the controller (pt. 15 of the above-mentioned decision).

71. First of all, with regard to APPLE RETAIL FRANCE, the restricted formation notes that the information and identifiers deposited and/or read by ADI make it possible to feed the advertising tools that the latter develops and which are, in particular, part of the App Store integrated into the phones sold by APPLE RETAIL FRANCE. The operating system embedded in mobile terminals is marketed in France only on ADI's products through APPLE RETAIL FRANCE. The latter, whose mission is to market specifically in France the terminals manufactured by the APPLE group, while also offering a range of services, contributes to promoting the APPLE group's products. Thus, insofar as each telephone sold by APPLE RETAIL FRANCE contains the App Store application by default, the restricted formation considers that the latter's activity directly and necessarily contributes to the fact that people who own an iPhone can access the App Store and carry out searches, the results of which will be personalised by ADI.

72. In addition, with regard to APPLE FRANCE, the restricted formation notes that, in the context of the "Search Ads" service implemented by ADI allowing developers to promote their application to users on the App Store, APPLE FRANCE employs "Search Ads Specialists". According to the company, their role is "to assist app publishers in understanding the tools provided by Apple in Search Ads, and to make recommendations on how best to optimise and structure their campaigns, for example, by assisting them in choosing keywords for the campaign based on the app to be promoted and helping them choose targeting criteria (geography, age, etc.). Therefore, the information and identifiers deposited and/or read by ADI allow developers who want their applications to be presented in the App Store to better target their audience. The fact that the "Search Ads Specialists" only generated an "insignificant difference in revenue" or do not themselves directly carry out an activity of "promotion and marketing of advertising tools" is inoperative.

73. Consequently, the restricted formation considers that an indissociable link is established between, on the one hand, the operation of reading and/or writing information to authenticate the DSID of a user account as well as those of the DPID and iAdId identifiers in the mobile terminals equipped with the iOS operating system of users residing in France during the use of the App Store by the company ADI and, on the other hand, the activities of APPLE FRANCE in that it advises application developers in their advertising campaigns and APPLE RETAIL FRANCE as promoter of the iOS operating system.

74. The restricted formation notes that the two criteria provided for in Article 3, paragraph I, of the Data Protection Act are therefore met.

75. It follows that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including the power to impose sanctions on processing operations falling within the scope of the ePrivacy Directive.

B. On the procedure

76. In its defence, the company first argues that the penalty procedure is based on facts that are obsolete or have not been found. It states that the "report focuses on version 14.6 of iOS, the operating system for iPhones, which is not the updated version [iOS 15]" and that, therefore, "contrary to the Reporter's assertion [...] the personalised ad setting was in no way activated 'by default' at the date of the Report. Moreover, iOS 15 was available during most of the monitoring and investigation process prior to the Report's disclosure. During the hearing before the restricted panel, the company also argued that insofar as the CNIL control delegation did not create an account when the phone was initialised during its investigations, it was therefore unable to materially observe the reading and/or writing operations on which the rapporteur relied to characterise its breach of Article 82 of the Data Protection Act.

77. The company then argues that the procedure followed by the CNIL does not respect the right to a fair trial and the principles of foreseeability and legal certainty, as guaranteed by Articles 6 and 7 of the Convention for the Protection of Human Rights and Fundamental Freedoms. With regard to the right to a fair trial, the company considers firstly that its right not to participate in its own incrimination was violated insofar as, during the investigation phase, it voluntarily transmitted documents that were subsequently retained as "incriminating evidence against it" in the framework of the sanction procedure. It maintained that these elements had been obtained under duress or pressure because it was obliged to respond to the CNIL's requests under Article 18 of the Data Protection Act. Consequently, it considered that the restricted panel should close the procedure as it stood. The company then considered that it had not been given the time it needed to prepare its defence fairly, as its requests for an extension of the deadline for replying to the rapporteur had been systematically refused. It argues that "distance time limits" should have been applied simply because it is not in metropolitan France. It further argues that the principle of equality of arms was not respected because it was not given sufficient time to prepare the English translations of the "essential documents of the sanction procedure", namely the report and the rapporteur's reply. Finally, the company argues that the 'rapporteur did not include in his pleadings Apple's letter to the CNIL dated 30 March 2022 in which it submitted detailed observations on the minutes of the hearing of 16 March 2022 [...]'. With regard to the violation of the principles of foreseeability and legal certainty, ADI considers that it "could not reasonably foresee that it [APPLE RETAIL FRANCE] was going to be implicated in the present proceedings" when it had "never received a request or question from the CNIL". It therefore asked that the elements relating to this entity be set aside.

1. On the facts on which the procedure is based

78. 78. The restricted panel first noted that version 14.6 of the iPhone's operating system was the system available on the day of the online test on 16 June 2021 and that it was therefore legitimate for the analysis of the compliance of the processing operations implemented to focus on this system. Although the restricted panel notes the efforts that the company made during the procedure to create new parameters that would require users to accept that information be recorded and/or read in their terminal, the fact remains that the breach retained by the rapporteur is limited to version 14.6 of the iPhone operating system, on the basis of the observations made by the CNIL's inspection delegation. The restricted panel notes that the materiality of the operations of reading and/or writing information on the users' terminal within the meaning of Article 82 of the Data Protection Act is apparent from the answers provided by the company to the documentary checks and the existence of these operations is therefore established in the file for users of versions prior to version 14.6.

79. Accordingly, the Panel considers that it follows from these elements that the procedure is not based on "obsolete facts".

2. Respect for the right to a fair trial and the principles of foreseeability and legal certainty

80. The restricted formation considers first of all that, contrary to what the company maintains, the elements referred to in its writings were not obtained by coercion or pressure. It emphasised that the right not to contribute to one's own incrimination is intended, inter alia, to avoid miscarriages of justice through the use of pressure to obtain evidence. It also notes that under the case law of the European Court of Human Rights, the right not to incriminate oneself "does not extend to the use in criminal proceedings of data which can be obtained from the accused by means of coercive powers but which exist independently of the suspect's will, for example documents collected under a warrant" (ECHR, Saunders v. the United Kingdom, 17 December 1996)

81. In the present case, all the information gathered by the CNIL was gathered as part of a control procedure based on Article 19 of the Data Protection Act, through documentary and on-site checks, as well as during a hearing requested by the company. While the provisions of Article 18 of the Data Protection Act oblige the organisations inspected to provide the CNIL with the information requested, the restricted committee noted that the information provided by the company contained only objective facts describing the technical architecture of its "Search Ads" processing.

82. The restricted panel then recalls that when the supervisory delegation requests information, in particular factual information, from an organisation, no accusation has yet been made against it, so that the "adversarial" phase, as understood by the case law of the European Court of Human Rights, has not yet begun. The restricted panel also notes that the company then had ample opportunity to challenge the findings of the inspection delegation and their analysis by the rapporteur.

83. 83. Next, concerning the right to have the time and facilities necessary to prepare one's defence, the restricted formation recalls that this right is one of the components of the right to a fair trial contained in Article 6 of the Convention for the Protection of Human Rights and Fundamental Freedoms and which must, in accordance with the case-law of the European Court of Human Rights, be analysed in the light of its function in the general context of the proceedings (see, inter alia, Mayzit v. Russia, 20 January 2005).

84. Moreover, pursuant to Article 40 of Decree No. 2019-536 of 29 May 2019, the implementation of the adversarial principle means that any document, argument, exhibit or reply letter must be communicated to the respondent, the rapporteur and the restricted formation. This article provides that the controller who is notified of a report proposing a sanction has, first of all, a period of one month to send his observations to the restricted panel and the rapporteur. When the circumstances of the case or the complexity of the matter so justify, the chairman of the restricted panel may decide, at the request of the body concerned, to extend this period by up to one month. The same article then grants the controller a second period of one month to respond to the rapporteur's observations in reply. These time limits are designed to ensure that the rights of defence are respected. Finally, the controller may present oral observations during the meeting before the restricted formation.

85. In this case, the restricted panel notes that the company was given a period of one month and 23 days to produce its observations, it being recalled that Article 40 of Decree No. 2019-536 of 29 May 2019 imposes a minimum period of one month. Furthermore, as the Conseil d'Etat recalled in its decision Société GOOGLE LLC of 19 June 2020, "no rule or principle imposes the institution, in terms of administrative sanction procedure, of a time limit for distance, applicable to applicants domiciled outside metropolitan France" (CE, 10th and 9th chambers combined, 27 June 2022, Société GOOGLE LLC, n° 430810, pt 13). Finally, given that the company was given a new period of time to submit written observations to the rapporteur's response, and that it was given the opportunity to express itself again before the restricted panel, the latter considers that the company's rights of defence have not been infringed.

86. In addition, with regard to the involvement of APPLE RETAIL FRANCE in the procedure, the restricted panel notes that the decision of the Commission President to initiate sanction proceedings only concerns APPLE DISTRIBUTION INTERNATIONAL. It therefore considers that, contrary to what is claimed, APPLE RETAIL FRANCE is not involved in the present procedure. It also considers that the elements introduced by the rapporteur in his writings concerning this company did not hinder the preparation of ADI's defence, insofar as they had been communicated by ADI itself concerning its membership of the APPLE group or were publicly accessible in the trade and companies register concerning its corporate purpose.

87. Finally, the restricted panel considers that the "omission" of the letter of 30 March 2022, to use the company's words, does not deprive it of procedural guarantees. This document submitted to the debate by ADI was examined by the restricted formation, which in any case is not in possession of documents of which the company was not aware.

88. Consequently, the restricted formation considers that it follows from these elements that the company's right to a fair trial as well as the principles of foreseeability and legal certainty have been respected.

C. On the failure to comply with the provisions of Article 82 of the French Data Protection Act with regard to version 14.6 of iOS

89. As recalled in point 36, Article 82 of the Data Protection Act is the transposition into domestic law of Article 5(3) of the ePrivacy Directive.

90. The rapporteur, in proposing that the restricted panel consider that the company has failed to comply with its obligations under Article 82 of the Data Protection Act, bases himself on the fact that the operations of reading and/or writing information to authenticate the DSID of a user account and the DPID and iAdId identifiers on the user's terminal for advertising purposes requires that the latter has given his prior consent, under the conditions provided for by the provisions of Article 82 of the amended Act of 6 January 1978, as clarified by Article 4, paragraph 11, of the RGPD.

91. The rapporteur notes, firstly, that the findings show that at the end of the initialisation process on the phone equipped with the iOS 14.6 version of the operating system, the user was not presented with any mechanism designed to obtain his prior consent to the operations consisting in reading the aforementioned information and identifiers on his terminal. The rapporteur then notes that once the phone had been initialised, the delegation found that the tab entitled "Personalised Advertisements" in the "Apple Advertising" menu of the privacy settings was activated. He therefore considers that the user path of the iOS 14.6 version of the operating system did not allow for a valid collection of consent under the conditions set out in the above-mentioned Article 82.

92. The rapporteur then notes that the company stated that it had rolled out an update to the iOS operating system on 20 September 2021. This update obliged new users and those already equipped with an APPLE branded mobile device, for whom the "Personalised Ads" setting was activated and who could install the update, to make a choice when they first launched the App Store. This choice is manifested by a positive act and it is necessary to click on the "Enable personalised ads" button or the "Disable personalised ads" button, and thus concerns the user's acceptance that his or her personal data be processed for the purpose of targeted advertising. He notes that this new window constitutes an improvement in terms of consent gathering, insofar as the user is offered a choice relating to targeted advertising and could therefore constitute a valid mechanism for gathering consent to the reading of the above-mentioned information and identifiers on the user's terminal, pursuant to Article 82 of the above-mentioned law. Nevertheless, the rapporteur notes that the statement "Apple does not track your activities" is misleading, insofar as the reading and/or writing of the aforementioned information and identifiers on the user's mobile terminal is carried out for advertising purposes. Therefore, it makes this compliance subject to three conditions: that the window is written in French, that the statement "Apple does not track your activities" is amended and that no identifier is used for advertising purposes before the user's consent has been validly obtained via this window.

93. 93. In its defence, the company maintains firstly, as explained in paragraph 47, that the processing operations it carries out do not fall within the scope of the ePrivacy Directive or benefit from the exemption from the collection of consent within the meaning of Article 82 of the Data Protection Act. The company then argues that the new window designed to collect consent under the new version of the iOS 15 operating system has always been available in French. It considers that the information provided cannot be considered misleading or insufficiently accurate, but in any case indicates that the statement "Apple does not track your activities" should be replaced by "Apple does not track your activities on third-party apps and sites". It states that this change will be effective by March 2023. Finally, it confirms that no identifiers are stored on the device or read for advertising purposes before this window is presented to the user.

94. Firstly, the restricted formation recalls, as it developed in points 49 and following, that it considers that ADI carries out reading and/or writing operations on the user's terminal.

95. The restricted panel recalls that Article 82 of the Data Protection Act requires consent for operations of reading and writing information on a user's terminal, but provides for specific cases in which certain tracers benefit from an exemption from consent: either when the sole purpose of the tracer is to allow or facilitate communication by electronic means, or when it is strictly necessary for the provision of an online communication service at the express request of the user.

96. The restricted panel notes in this respect that the Commission specifies, in its guidelines of 17 September 2020, that "the use of the same tracker for several purposes, some of which do not fall within the scope of these exemptions, requires the prior consent of the persons concerned, under the conditions recalled by these guidelines. For example, in the case of a service offered via a platform requiring user authentication ("logged-in universe"), the service provider may use a cookie to authenticate users without asking for their consent (because this cookie is strictly necessary for the provision of the online communication service). On the other hand, he may only use this same cookie for advertising purposes if the users have effectively given their prior consent to this specific purpose.

97. The restricted formation considers that in order to determine whether the operations of reading and/or writing of multi-purpose identifiers, such as DSIDs, DPIDs and iAdIds, on the users' terminal requires the prior collection of their consent, it is necessary to determine whether the purposes announced by the company are all exempt from the collection of consent.

98. With regard to the information attached to the DSID, the Panel considers that if this identifier is created for each user account on the APPLE group's servers, "information" is read on the user's terminal equipment to enable the association of requests made to a user account (i.e. the fact that the user carries out a search, and later to assign that unique user to segments within a universe that requires authentication (the so-called "authenticated" or "logged in" universe), in this case the App Store. Even though the main function of this "information" would be to allow the authentication of a user within a logged universe - and would be qualified as an essential purpose because it is strictly necessary for the provision of an online communication service at the express request of the user -, the fact that the information collected thanks to these tracers can be used to allow segmentation for advertising purposes necessarily prevents the said tracers from falling into the categories of tracers the reading of which is exempted from consent within the meaning of the above-mentioned Article 82. The restricted panel therefore considers that the company accesses information aimed at maintaining the authenticated connection, for several purposes: on the one hand, authentication and then maintenance of the user within the authenticated universe of the App Store and, on the other hand, the collection of traces of the user's activity in the context of the App Store in order to assign him or her or to reassign him or her to one or more segments which will subsequently be used to send him or her personalised advertisements intended to promote mobile applications on the App Store.

99. With regard to the replacement of information attached to the DSID by the DPID and iAdId identifiers on the users' terminal, the restricted formation first notes that the purpose of reading the DPID and iAdId identifiers stored in the user's terminal equipment and sending them to the company's servers is to disseminate advertisements for applications targeted according to the user's profile. Consequently, the restricted panel considers that these operations have an advertising purpose and are not exclusively intended to allow or facilitate communication by electronic means, nor are they strictly necessary for the provision of an online communication service at the express request of the user, within the meaning of Article 82 of the Data Protection Act.

100. Secondly, with regard to the argument that the steps relating to the replacement of information attached to the DSID by the DPID and the iAdId are implemented in order to respect the principles of protection of privacy and that, in their absence, the company could link the information relating to the advertisements disseminated to the user's identity, The restricted panel emphasised that the technical architecture underlying the "Search Ads" service in itself makes it possible to make subsequent processing related to the personalisation of ads less intrusive for the persons concerned. On the other hand, it considers that, since Article 82 of the Data Protection Act is applicable, it is necessary to respect its conditions, in particular those related to obtaining consent prior to any reading operation taking place on the user's terminal equipment, except for operations related to the functioning of electronic communications or strictly necessary to provide a service requested by the user. In other words, the restricted panel considers that the fact of implementing other measures to protect privacy at the design stage does not allow for exemption from the rule set out in Article 82 of the Data Protection Act.

101. Consequently, it considers that these operations require the user's prior consent, under the conditions provided for by Article 82 of the amended Act of 6 January 1978, as clarified by Article 4, paragraph 11, of the RGPD.

102. Secondly, the Select Committee notes that the consent of individuals must be unambiguous and that it follows from the "Planet 49" decision of 1 October 2019 of the CJEU that the use of pre-checked boxes cannot be considered as a clear positive act aimed at giving consent (CJEU, 1 Oct. 2019, C-673/17). Moreover, in the context of the guidelines of 17 September 2020, the Commission took care to specify that "consent must be manifested by means of a positive action by the person who has previously been informed of the consequences of his choice and has the means to express it".

103. In the present case, the restricted panel notes that it is clear from the findings in the section entitled "Apple Advertising" that the advertising targeting parameters are pre-checked by default. It considers that by being authorised "by default", the advertising targeting processes cannot be considered to have been accepted by a positive act by the users.

104. 104. The restricted formation also recalls that this stage of consent gathering comes late in the phase of the user's getting used to the phone and that it is optional because it is not integrated into the phone's initialization process. Furthermore, this step is only accessible after the user has clicked on the "Settings" icon on the iPhone, gone to the "Privacy" menu, and then clicked on the section entitled "Apple Advertising". The Commission considers that it is difficult for the user to validly accept or refuse these operations, insofar as the user who has completed the initialization process of his phone (a fortiori when the process includes a large number of steps as in the present case) may legitimately believe that he no longer needs to proceed with other configurations before consulting the App Store.

105. Finally, the restricted panel considers that the company is implementing data processing on a considerable scale given the predominant position of the Apple operating system on the French mobile operating system market and the proportion of telephone users in France who use ordiphones. It also notes that this targeting is based on people's interests and lifestyle habits and that the company's use of browsing and profile data from the App Store to target advertising is therefore significant. Consequently, the restricted panel considers that, in view of the scale of the processing and the imperative need for users to retain control of their data, they must be put in a position to give valid consent.

106. Consequently, the restricted panel considers that ADI is accessing information already stored or read on users' terminals for the purpose of personalising ads in the App Store without first obtaining their consent, in disregard of the provisions of Article 82 of the Data Protection Act.

D. On the new window designed to collect consent under the new iOS 15 version of the operating system

107. The panel notes that the new consent box for the new version of the operating system iOS 15 is written in French. It notes that the company undertakes to complete the statement "Apple does not track your activities" by March 2023. Finally, it notes that no identifiers are used for ad personalisation purposes in the App Store before this window is presented to the user.

108. Consequently, the restricted panel considers that this new window constitutes a mechanism for obtaining prior valid consent to the reading of the aforementioned information and identifiers on the user's terminal, pursuant to Article 82 of the amended Act of 6 January 1978.

109. The restricted formation considers that a breach of the obligations arising from Article 82 of the Data Protection Act was constituted for the past on version 14.6 of the operating system since it was incumbent on the company to obtain the consent of users prior to writing and/or reading information on their terminal equipment for the purpose of personalising advertisements intended to promote mobile applications on the App Store.

It noted that, in the context of the present procedure, the company had justified having taken measures to comply with the obligations arising from Article 82 of the Data Protection Act, which did not, however, call into question the existence of the breach for past events.

III. Corrective measures and their publicity

111. Under the terms of Article 20 III of the Data Protection Act :

"When the data controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law, the president of the Commission nationale de l'informatique et des libertés may also, where appropriate after having sent it the warning provided for in I of this article or, where appropriate, in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to the pronouncement, after an adversarial procedure, of one or more of the following measures : (...) 7° With the exception of cases where the processing is implemented by the State, an administrative fine that may not exceed 10 million euros or, in the case of a company, 2% of the total annual worldwide turnover for the previous financial year, whichever is higher. In the cases referred to in Articles 5 and 6 of Regulation (EU) 2016/679 of 27 April 2016, these ceilings shall be increased to EUR 20 million and 4% of the said turnover respectively. The restricted formation shall take into account, in determining the amount of the fine, the criteria specified in the same Article 83."

112. Under Article 83 of the GDPR, as referred to in Article 20(III) of the Data Protection Act:

"1. Each supervisory authority shall ensure that administrative fines imposed under this Article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.

2. Depending on the specific features of each case, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following factors

(a) the nature, gravity and duration of the breach, having regard to the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered by them ;

(b) whether the breach was committed intentionally or negligently;

(c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects;

(d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have implemented pursuant to Articles 25 and 32 ;

(e) any previous relevant breach by the controller or processor;

(f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating any adverse effects;

(g) the categories of personal data affected by the breach;

(h) the manner in which the supervisory authority became aware of the breach, including whether and to what extent the controller or processor notified the breach;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned in respect of the same matter, compliance with those measures;

(j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and

any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach. "

A. On the imposition of an administrative fine

113. In its defence, the company considers, primarily, that it cannot be accused of any violation of Article 82 of the French Data Protection Act and, therefore, that no fine can be imposed on it. In this respect, it points out that the processing for the purpose of personalising ads on the App Store that it implements is carried out either on its servers and is not part of the scope of the CNIL's investigations, or on users' terminals solely for the purpose of "protecting privacy" and therefore falls within the scope of the exemptions provided for in Article 82 of the Data Protection Act. In the alternative, the company considers that the amount of the fine proposed by the rapporteur is disproportionate and that several criteria provided for in Article 83(2) of the GDPR are inoperative in this case, in particular those referring to the nature, seriousness and scope of the processing and the level of harm suffered by individuals. It further argues that the consent window in the new iOS 15 version of the operating system was always available in French for users who selected that language, contrary to what the rapporteur argued. It further argues that the worldwide turnover is not a relevant criterion to be taken into account when deciding the amount of the fine itself and that its only function is to prevent the amount retained by the restricted formation from exceeding the ceiling provided for by the GDPR. It adds that the amount proposed by the rapporteur corresponds to [...]. Finally, it notes that the fine proposed by the rapporteur is out of all proportion to the fines it has already imposed.

114. In view of the elements developed above, the restricted formation considers that the above-mentioned facts, constituting a breach of Article 82 of the Data Protection Act, justify the imposition of an administrative fine on ADI, the legal entity responsible for the processing. The Commission recalls that the changes made by the company to the window for collecting consent in the new version iOS 15 of the operating system since September 2021 have no bearing on the imposition of a fine insofar as the fine is intended to punish the facts observed during inspections concerning the iOS 14.6 version of the iPhone operating system.

115. The restricted formation recalls that Article 20, paragraph III, of the Data Protection Act gives it the power to impose various sanctions, in particular an administrative fine, the maximum amount of which may be equivalent to 2% of the total annual worldwide turnover of the previous financial year achieved by the controller. It adds that the determination of the amount of this fine is assessed in the light of the criteria specified in Article 83 of the RGPD.

116. In the case in point, the restricted formation considers that the breach in question justifies the imposition of an administrative fine on the company for the following reasons.

117. First of all, the restricted panel notes the seriousness of the breach, insofar as the ad personalisation parameters are pre-checked by default, the company carried out operations to read and/or write information or identifiers on the terminals of users located in France for the purpose of personalising ads without first obtaining their consent and deprived them of the possibility of exercising their choice in accordance with the provisions of Article 82 above.

118. The restricted formation considers that the seriousness of the breach is accentuated by the fact that this stage of consent gathering occurred late in the phase of the user taking control of the telephone and that it was optional because it was not integrated into the telephone initialisation process.

119. The restricted formation observes that the seriousness of the breach must also be assessed in the light of the scope of the read and write operations in question and the number of persons concerned.

As regards the scope of the read and write operations, the restricted formation notes that Apple's App Store is the only official distribution channel for mobile applications on iOS devices for developers, since the company does not allow applications to be downloaded outside its App Store. People using the iOS 14.6 version of the iPhone operating system are therefore dependent on the choices made by ADI regarding their privacy.

121. With regard to the number of people concerned by the operations of reading and/or writing the above-mentioned information and identifiers on their mobile terminal, it appears from the information provided by the company that 27.5 million mobile terminals equipped with the operating system connected to the French App Store using an IP address registered in France between 5 July 2020 and 5 July 2021 (for free or paid downloads, re-downloads or updates). While this number does not mean that 27.5 million users did not consent to read and/or write the above information and credentials on their mobile device, it does reflect the company's significant position in the mobile operating system market.

122. Secondly, the restricted formation considers that ADI, which has achieved a worldwide turnover for the year 2021 of approximately [...] dollars, i.e. approximately [...] euros (according to the current exchange rate), has derived a definite financial advantage from the infringement committed. Indeed, as indicated above, the read and/or write operations allow the company to present users, when they search the App Store, with personalised advertisements promoting applications. The panel notes that while the company's main activity is the sale and distribution of APPLE group products in Europe, the personalisation of ads enables it to increase its revenue. However, by not obtaining the consent of users to read and/or write the aforementioned information and identifiers, the company increases the number of users to whom the personalisation of ads will be carried out.

123. The Panel notes, however, as a mitigating circumstance, that the steps relating to the replacement of information attached to the DSID by the DPID and the iAdId are implemented in order to respect the principles of privacy protection and that in their absence, the company could link the information relating to the advertisements broadcast to the identity of the user, which would further infringe his privacy.

124 It follows from all the above and the criteria duly taken into account by the restricted formation, in view of the maximum amount incurred, established on the basis of 2% of turnover, that it is justified to impose an administrative fine of EUR 8 million.

B. On the publicity of the decision

125 In its defence, the company argued that such a measure would be neither necessary nor proportionate in light of the alleged infringement that it refutes and its compliance with the new consent collection window available under version iOS 15 of the operating system.

126. The Panel considers that in view of the above, an additional advertising sanction is justified. Account is also taken of the dominant position of the Apple operating system on the French market for mobile operating systems and the proportion of telephone users in France who use ordiphones, the seriousness of the infringement and the interest that this decision represents for the information of the public, in determining the duration of its publication.

FOR THESE REASONS

The CNIL's restricted formation, after having deliberated, decides to :

- to impose an administrative fine on APPLE DISTRIBUTION INTERNATIONAL in the amount of 8,000,000 (eight million) euros for failure to comply with Article 82 of the French Data Protection Act;

- to make its decision public on the CNIL website and on the Légifrance website, which will no longer identify the company by name after a period of two years from its publication.

The Chairman

Alexandre LINDEN

This decision may be appealed to the Council of State within four months of its notification.
Return to the top of the page

    About this version Legal notice Privacy policy Sitemap Open data and API Accessibility: partially compliant

    service-public.fr data.gouv.fr Digital labour code government.fr france.fr