Apple Store logo and facade showing privacy violations found by France CNIL

Rapporteur for France’s Data Protection Agency Eyeing Six Million Euro Fine for Apple Over First-party Privacy Violations

One of the more contentious pieces of Apple’s App Tracking Transparency (ATT) framework is the exceptions the company grants to itself for a variety of its own pre-installed apps. A complaint lodged by an industry lobbying group and subsequent investigation has resulted in the rapporteur for France’s lead data protection agency (CNIL) recommending a six million euro fine for breaching the European Union’s ePrivacy directive due to privacy violations.

Unlike fines issued due to violations of the General Data Protection Regulation (GDPR), an ePrivacy action can be taken directly by CNIL without the involvement of other nations. The rapporteur’s decision is not binding in any way, but it generally carries substantial weight in CNIL’s final decision.

Privacy violations tied to structure of iOS 14

The iOS 14.5 release in April 2021 was the first to implement Apple’s ATT framework, which requires third-party app developers to present end users with a standard notification of any targeted ad tracking and ask for their consent. The app must not be reduced in function in any way if the user opts out, which has raised the hackles of the advertising industry and app developers that rely on it for their income.

Critics were quick to point out that Apple excepted a number of its own apps from this requirement, even though they were collecting data used for targeted advertising (such as News and the App Store). Apple’s argument has been that since that information is kept within its own ecosystem and not shared with third parties, the ATT rules do not apply.

Apple has since added consent notifications as of iOS 15 (released in September 2021), but it may have been in violation of the ePrivacy directive prior to that. The directive requires notification of and affirmative prior consent to collection of personal data to avoid privacy violations, even if it is only for first-party use.

Rapporteur Francois Pellegrini’s recommendation follows a CNIL investigation that was sparked by a complaint from tech industry lobbying group France Digitale, filed in 2021. The lobbying group represents numerous European startups and entrepreneurial ventures along with some bigger names, such as Oracle and WeWork.

Apple is contesting the decision, but seemingly not on the grounds that privacy violations occurred. Head of privacy Gary Davis instead argued that there was not enough “seriousness to the breach” to merit the fine amount and indicated that Apple will push for a smaller amount. CNIL does not have a specific timeframe for reaching a decision, but tends to be among the fastest agencies in Europe in rendering decisions and will not be bogged down by the usual GDPR process that would have required input from nations throughout the bloc.

Apple ties its fortunes to device privacy, but continues to encounter regulatory issues in Europe

The introduction of the ATT framework was meant to signal a shift in focus by Apple, pushing their business toward a marketing focus on superior hardware and preventing privacy violations rather than accommodating third party advertisers. The company continues to tangle with Europe’s regulators on a variety of issues, however, including antitrust concerns that relate to the terms Apple sets for the developers that sell through its app store.

Apple was just recently hit for a whopping €1.1 billion fine by France’s antitrust regulator, though the amount was reduced to €372 million upon appeal. That ruling was not for privacy violations, but for a price fixing charge involving Apple and several distributors conspiring to fix device prices. It has also paid much smaller fines in the past for other antitrust violations and a charge that it intentionally throttled older models of the iPhone to push customers into buying new ones.

Apple faces continuing antitrust scrutiny over its assorted policies for third party developers that sell through the App Store, though the incorporation of user privacy violations into these claims is a relatively recent development. Apple has been battling with Spotify and other app developers for a longer period over the mandatory fees of up to 30% that it charges on transactions, with developers contending that Apple has monopoly power given that there are only two real app marketplace options.

Europe is not its only source of trouble; Apple was also hit with a class action suit over privacy violations, under the requirements of California law that prevent browsing and internet activity information from being collected without proper consent. Apple devices have a “Allow Apps to Request to Track” setting that purportedly prevents this collection when disabled, but the suit contends that numerous first party apps (such as the App Store and Stocks) continue to log this information even when tracking is not allowed by the user. Collected information includes where users tap on the screen, what they search for within Apple apps, and the ads they have previously viewed among other items.