Thursday, January 5, 2023

French fine over App Store privacy violations undermines credibility of one of Apple's two favorite pretexts for monopoly abuse, pours fuel on fire of German antitrust authority's ATT investigation

Yesterday it became known that on December 29 a panel of the Commission nationale de l'informatique et des libertés (CNIL; National Commission on Informatics and Liberty)--which is tasked with the enforcement of the EU's General Data Privacy Regulation in France--"imposed an administrative fine of 8 million euros" on an Ireland-based Apple subsidiary for failing to obtain the consent of French iPhone users (specifically, users of version 14.6 of the operating system) "before depositing and/or writing identifiers used for advertising purposes on their terminals."

The same CNIL actually played a very regrettable role--which calls into question whether the ones running that agency really understand how mobile ecosystems work--when it effectively prevented French antitrust watchdog Autorité de la concurrence (Adcl; Competition Authority) from ordering interim measures against Apple's introduction of App Tracking Transparency (ATT). The economic fallout from ATT is disastrous, and a narrow-minded government agency that obstructs through government-internal lobbying--whether it's for dogmatic reasons, institutional influence, or someone's ego--the enforcement of competition law against such a massive abuse fails its country's companies and consumers alike.

I actually remember the CNIL's rapporteur on this Apple case, Professor François Pellegrini (now a vice president of the agency), from the days of the EU legislative process on the patentability of computer-implemented inventions (aka "software patents directive"). Back in the day we fundamentally disagreed on strategy, and we haven't been in contact in well over a decade. I don't know whether he was in any way responsible for the CNIL's misguided opposition to antitrust enforcement against ATT.

Presumably, the French digital economy--represented by the France Digitale industry association--was no less disappointed in the CNIL's irresponsible support of Apple's abusive scheme than I was. Regardless, France Digitale brought a complaint with the CNIL over Apple's self-preferencing: they just asked that Apple be held to the GDPR standard, and the CNIL found that Apple was out of compliance at least with respect to iOS 14.6.

Apple made a jurisdictional argument according to which only Ireland's data protection agency would be able to enforce the GDPR against Apple, and EU politicians have criticized Ireland for treating its largest tax payers and key foreign investors with kid gloves. Apple portrayed the way in which end users' actions on the App Store (viewing, downloading, and purchasing apps) were tracked as just a natural extension of an authentication method that would be necessary at any rate.

The €8M amount is not even chump change for Apple, but there are reasons for which Apple--in a statement first published by San Francisco-based Financial Times correspondent Patrick McGee--declared itself "disappointed with this decision" and vowed to appeal.

I've read the French decision (PDF) in full. In para. 92, the order notes that Professor Pellegrini established three criteria for the conformity of the mechanism by which iOS obtains user consent to targeted advertising based on a set of IDs (device ID, device pack ID etc.):

  1. The relevant window must be in French.

  2. Apple can't just broadly claim that it does not track user activities.

  3. No identifier may be used for (targeted) advertising purposes prior to obtaining, through a valid mechanism, the user's consent to such use of their data.

Apple then said (according to para. 93) that it had meanwhile translated the relevant on-screen messages to French, and that no identifier would be stored on the end-user device or read for advertising purposes ahead of the user's consent. And in March 2023 (at the latest), Apple said it would also change the text from "Apple does not track your activities" to "Apple does not track your activities in third-party apps and on third-party websites."

Whether those changes will satisfactorily alleviate all concerns is unclear at this stage, but let's assume for now that the €8M fine is indeed just a penalty for past conduct and Apple does not have to make changes beyond what it said would be the state of affairs in March 2023 (if not sooner). In that case, Apple's Search Ads business would probably thrive in France just like before. ATT kneecapped all advertising networks on iOS. End users are mostly going to grant Apple the requested consent unless Apple would have to display the same "alarmist" warning that end users see when a third-party app requests such consent. Instead, Apple focuses on user benefits (more relevant ads) when its own business is concerned, and emphasizes fear, uncertainty, and doubt (FUD) when it's about third-party apps.

So, if the fine doesn't hurt, and if the CNIL itself is not in a position to fully address Apple's self-preferencing, why does the decision (provided that Apple's appeal fails) still matter?

  • The most important effect would be if the CNIL stopped supporting Apple with respect to ATT. Maybe the CNIL has started to realize that it made a mistake last time, such as when it became known that Apple was bullying Meta/Facebook and, when it didn't get the revenue share it wanted, put ATT in place. If the CNIL could at least stay neutral with respect to antitrust enforcement against ATT, that would be great, but I don't know whether that's the case. Hopefully Apple has lost that governmental ally.

  • Where I have no doubt about a positive effect is the investigation of the German Bundeskartellamt (Federal Cartel Office) into self-preferencing with respect to ATT, but also more generally the anticompetitive effects of that money and power grab (see also the FCO's English-language press release). So far the Federal Cartel Office has been a dog that barks but doesn't really bite Big Tech (a topic I'll address in another post when I find the time for it). Anyway, the fact that a French government agency has already found Apple to engage in self-preferencing that apart from antitrust considerations even violates the GDPR is a silver bullet for political and psychological reasons.

  • There is a French App Store case in which the Paris Commercial Court rendered a decision last month, and which is about the app tax as opposed to ATT. Apple's two key pretexts for its App Store monopoly abuse are privacy and security. Apple's credibility on privacy has taken a hit now.

  • Last year, Apple CEO Tim Cook got a lukewarm reception at a gathering of privacy activists. Any decision that calls into question Apple's actual commitment to privacy will further reduce the willingness of that crowd to support Apple's commercial interests in continued monopoly abuse. Of course, Apple can still buy goodwill from privacy as well as security "experts" and "activists"--and Apple engages in astroturfing anyway, no matter the context.

  • In all App Store cases worldwide, the privacy pretext plays a role, and any credible decision that holds Apple in violation of data privacy laws, especially when there is a close connection with tracking user activities on the App Store, is somewhat relevant. However, Epic Games v. Apple is now at the appellate stage, and Epic rightly argued at the appellate hearing that only procompetitive justifications count (which was the key issue in NCAA v. Alston). So the question of how much substance there is to Apple's privacy pretext wouldn't even matter in that scenario. And at the hearing, the key judge--Ninth Circuit Judge Milan D. Smith--very much emphasized market definition, where the concern is a potential failure of proof. I continue to hope that Judge Smith will arrive at the conclusion that the district judge made enough mistakes in the market definition context to warrant a remand, and in that case I hope he will get the support of at least one other member of the panel. In a retrial, privacy could again become a topic of discussion unless the appeals court makes it clear that only procompetitive justifications matter.

  • Ultimately, I don't think the ATT problem can be solved through the enforcement of privacy rules, and even if self-preferencing came to an end, Apple would benefit from it (as app makers would still have to rely on non-ad revenues, some of which Apple can tax). The only solution is the availability of third-party app stores that enable developers to reach iOS users without having to submit their apps to Apple's app review. Apple could then try to use its control over iOS in other ways, but there are various technical ways in which users and devices can be identified even if Apple tries to complicate it (even fingerprints).

All in all, I think the CNIL decision (again, provided that it isn't overturned) has the potential to come back to haunt Apple in a number of contexts--and around the globe. And let me quote the assessment of the CNIL decision by French antitrust lawyer (and Adlc adviser) Fayrouze Masmi-Dazi, who advises various clients with respect to Apple's App Store abuse:

"It is a very important decision and another step towards sanctioning illicit practices - the Paris commercial court also sanctioned Apple for the significant imbalance of several contractual provisions of its developer[] license agreement."