On Monday, December 12th, Francois Pellegrini, a senior official at the Commission Nationale de l’Informatique et des Libertés (CNIL), submitted a report to the CNIL’s sanction committee, which finds Apple in violation of data protection law. His report recommends a fine of €6 million. [1]
The sanction body ultimately has full discretion in its final decision, but these recommendations “typically carry a lot of weight”. [2]
This case originates from a submission by France Digitale, an association of tech startups, which encouraged CNIL to investigate Apple’s data processing practices under iOS 14. France Digitale observed that Apple collected cross-site data for the purpose of personalised advertising by default, in clear violation of GDPR and the ePrivacy directive. The complaint passionately appealed against the inequity of a situation in which tech giants play fast and loose with the law, which small companies are obliged to follow to the letter, for fear of the penalties of non-compliance.
Gary Davis, Apple’s Global Director of Privacy & Law Enforcement, expressed perplexity at the rapporteur’s decision and questioned, “how a privacy-by-design feature interfere[s] with the privacy rights of an individual?”. He also stated that he was concerned that a sanction decision would discourage the development of “privacy-by-design technology”. [3]
Disappointingly, this point was acknowledged by the rapporteur, who said Apple’s architecture of “privacy-by-design” was considered in determining the size of the penalty. [4] €6 million is clearly insignificant when compared to both Apple’s capacity to pay and fines issued by CNIL in recent years. For instance, in December 2021, Google and Facebook were fined €150 million and €60 million, respectively, following complaints that website cookies could not be refused as easily as they could be accepted. [5]
Under the law Apple is in breach of GDPR, regulators should not let them off the hook because of a well-executed PR campaign.
To be clear, Apple’s privacy-branded changes in iOS 14, which include App Tracking Transparency (ATT), requiring developers to secure user permission to track data across other apps or services, have little to do with user privacy and a lot to do with Apple’s bottom line.
Apple’s system is not designed to be private, but rather to shut-off third parties from data collection, whilst continuing to harvest the very same data themselves to sell to advertisers.
The company’s policy of collecting and processing user information, whilst restricting others from doing the very same, is baked into the App Store’s definition of tracking, which specifies that data must be “collected from other companies’ apps, websites, or offline properties”. This is substantially different from the definition of tracking used by the World Wide Web Consortium (W3C) standards-making body and any regulatory authority, which would define tracking on the basis of what information is being collected and for what purpose, not who by.
Likewise, Apple’s Privacy policy states that it collects user information with a Random Identifier (rather than linked to the user’s account), but relies on the same identifier across various apps – this would not be necessary if Apple were limiting tracking to only a single app. [6] This was demonstrated recently by security researchers, who found that Apple continuess to track users even when prohibited by user privacy settings. Apple relies on the same identifiers associated with various devices, which similarly would not be necessary if it treated each device independently of all others.
The proof of Apple’s extensive data use is plain. Apple’s ad share is soaring (some researchers estimate that Apple’s ad business could be worth $30 billion annually by 2026) because it processes rich data itself and reduces others’ ability to process the same data if the end-user is on iOS software.
Regulators would be wrong to treat Apple as “one of the good guys”, that, in this case, was unfortunately tripped up by a technicality. Thanks to ATT, Apple is an increasingly dominant Adtech player, which has been found in violation of data protection law. Apple’s practices of unconsented data processing affected hundreds of millions of users. This should be reflected in the penalty.