CE - 473833
French Supreme Court upholds €8M GDPR fine against Apple for personalized ads without consent.
Summary
France's Conseil d'État (Supreme Administrative Court) upheld an €8 million fine imposed by CNIL against Apple in 2022 for accessing device identifiers to deliver personalized advertising in the App Store without obtaining prior user consent, as required by Article 5(3) of the ePrivacy Directive. Apple challenged the sanction on multiple grounds, including lack of jurisdiction, procedural violations, and disproportionality, but the court rejected all arguments and confirmed the fine was proportionate given the scale of processing and number of affected users.
Full text
Help CE - 473833: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 15:20, 24 November 2025 view sourceRp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators195 edits Tag: Visual edit← Older edit Latest revision as of 14:27, 16 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators189 editsTag: Visual edit Line 30: Line 30: |GDPR_Article_Link_2=|GDPR_Article_Link_2= |EU_Law_Name_1=Article 5(3) Directive 2002/58/EC|EU_Law_Name_1=Article 5(3) ePrivacy Directive 2002/58/EC |EU_Law_Link_1=https://eur-lex.europa.eu/eli/dir/2002/58/oj/eng|EU_Law_Link_1=https://eur-lex.europa.eu/eli/dir/2002/58/oj |EU_Law_Name_2=|EU_Law_Name_2= |EU_Law_Link_2=|EU_Law_Link_2= Latest revision as of 14:27, 16 July 2026 CE - 473833 Court: CE (France) Jurisdiction: France Relevant Law: Article 5(3) ePrivacy Directive 2002/58/EC Decided: 10.10.2025 Published: Parties: Apple Distribution International Limited National Case Number/Name: 473833 European Case Law Identifier: Appeal from: CNIL (France)SAN-2022-025 Appeal to: Not appealed Original Language(s): French Original Source: CE (in French) Initial Contributor: RP The Supreme Administrative Court upheld an €8 million fine against Apple for accessing device identifiers to deliver personalised ads without prior consent. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The DPA imposed an €8 million administrative fine on Apple (the controller) in 2022 (CNIL - SAN-2022-025). The DPA found that Apple used identifiers stored on users’ devices to enable personalized advertising in the App Store without first obtaining valid user consent, as required by Article 82 of the French Data Protection Act, which implements Article 5(3) of the ePrivacy Directive. Apple challenged the sanction before the Supreme Administrative Court (Conseil d’État), arguing that the DPA lacked jurisdiction, that the investigation violated Apple’s procedural rights, that the advertising-related processing did not fall within the scope of Article 82, and that the case should be referred to the Court of Justice of the EU. Apple also claimed that the fine was disproportionate. Holding The court held that reading identifiers stored on user devices for the purpose of delivering personalised advertising constitutes access to information under Article 5(3) of the ePrivacy Directive, requiring the controller to obtain the user’s prior consent. It reasoned that since this operation was to implement personalized advertising it could not fall within the exemptions to the consent requirement. The court found that the national authority was competent because the controller’s establishment within the country contributed to the advertising operations in question. It did so by marketing devices pre-equipped with the App Store where personalized advertising appears and by providing Search Ads Specialists who helped monetize and optimize that advertising space. It also rejected the controller’s claim that the authority had violated its procedural rights, finding that the right to remain silent did not apply during CNIL investigations and that the authority had lawfully carried out the investigation providing sufficient opportunity for the controller to respond. Additionally, the court rejected Apple's request to reference the case to the Court of Justice of the EU stating that there wasn't any reasonable doubt Finally, it held that the €8 million fine was proportionate, noting the scale of the processing, the number of affected users, and the economic significance of the advertising activity. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the French original. Please refer to the French original for more details. FRENCH REPUBLIC IN THE NAME OF THE FRENCH PEOPLE Having regard to the following procedure: By a summary application, a supplementary memorandum, and six further memoranda, registered on May 4, 2023, August 4, 2023, May 23, June 28, September 20, and October 14, 2024, and January 16 and September 12, 2025, with the Registry of the Litigation Division of the Council of State, Apple Distribution International Limited requests the Council of State: 1) to annul Decision No. SAN-2022-025 of December 29, 2022, by which the restricted panel of the National Commission for Information Technology and Civil Liberties (CNIL) imposed an administrative fine of €8 million on it; 2) Where appropriate, to refer the following questions to the Court of Justice of the European Union for a preliminary ruling: 1) Should the provisions of Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, which require the controller to obtain the consent of users or subscribers of a service when using electronic communications networks to store information or access information stored in their terminal equipment, be interpreted, in particular in the light of Opinion 5/2019 of the European Data Protection Board of 12 March 2019 and the scope of the GDPR, as including within their material scope any further processing within an authenticated environment that does not involve the storage of or access to information on a user's device but which could not take place if "(2) Should the provisions of paragraph 3 of Article 5 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector be interpreted, in particular in light of recital 9 of the ePrivacy Directive and the provisions of Article 25 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, as requiring the obtaining of consent from users or subscribers when using electronic communications networks to store or access information stored in their terminal equipment, where such storage or technical access is strictly necessary to ensure the privacy-protective features of their data, according to a fair and transparent approach" of respect for privacy by design 3) to order the CNIL to pay the sum of €6,000 pursuant to Article L. 761-1 of the Code of Administrative Justice. Having regard to the other documents in the file; Having regard to: - the Constitution, in particular its Preamble; - the European Convention for the Protection of Human Rights and Fundamental Freedoms; - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016; - Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002; - Law No. 78-17 of 6 January 1978; - the Code of Administrative Justice; After hearing in open court: - the report of Ms. Alexandra Poirson, Auditor, - the submissions of Ms. Leila Derouich, Public Rapporteur ; Following the submissions, the floor was given to SCP Piwnica and Molinié, counsel for Apple Distribution International Limited; Considering the following: 1. Apple Distribution International Limited requests the annulment of the decision of December 29, 2022, by which the restricted panel of the French Data Protection Authority (CNIL) imposed an administrative fine of €8 million on it for breach of Article 82 of the Law of January 6, 1978, concerning information technology, data files and civil liberties, due to data reading and writing practices for advertising purposes, and decided to make its decision public, subject to an anonymization procedure after a period of two years. Regarding the CNIL's jurisdiction: 2. Pursuant to the provisions of Article 8, paragraph I, of the Law of January 6, 197