Apple’s claim that it puts customer privacy at the heart of its business has been blasted by Facebook nemesis Max Schrems – the man who brought down both the Safe Harbour and Privacy Shield data transfer deals – who believes the company unlawfully tracks users’ behaviour and preferences without their consent.
Apple chief executive Tim Cook has long tried to differentiate the company from its tech rivals by insisting it is dedicated to data privacy.
Back in 2018, he even made an impassioned speech in Brussels calling for new GDPR-style data protection laws in the US. At the time, he claimed modern technology has resulted in a “data-industrial complex” where personal information is “weaponised against us with military efficiency”.
Apple’s most recent ad campaign states: “If privacy matters in your life. It should matter to the phone your life is on. Privacy. That’s iPhone.”
But, according to Schrems and his privacy organisation NOYB at least, this is bunkam.
NOYB claims that Apple’s so-called “Identifier for Advertisers” – a cookie installed on every iPhone – allows the company and all apps on the phone to track a user and combine information about online and mobile behaviour. Apple places these tracking codes without the knowledge or agreement of users, the group says.
The privacy organisation has now filed two complaints against Apple, in Germany and Spain, although not under GDPR but under the ePrivacy Directive. NOYB privacy lawyer Stefano Rossetti said the move is a deliberate attempt not to trigger the cooperation mechanism of GDPR.
He said the organisation wanted to avoid involving the Irish Data Protection Commission and the “endless procedures” which have seen complaints it registered against Facebook go through protracted legal procedures, bouncing from the Irish High Court to the European Court of Justice, and back again, for years. It has already registered one GDPR complaint against Apple over data access which has yet to be concluded.
Rossetti added: “We believe Apple violates the law. With our complaints we want to enforce a simple principle: trackers are illegal, unless a user freely consents. The IDFA should not only be restricted, but permanently deleted. Smartphones are the most intimate device for most people and they must be tracker-free by default.
“EU law protects our devices from external tracking. Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws.”
The action refers to only German and Spanish users who complained about Apple, Rossetti said, but believes any decision could extend beyond these two countries. He added that it would be difficult for the company to continue doing with millions of people what was declared illegal in those regions.
In response, Apple said the claims were “factually inaccurate”. It added: “Apple does not access or use the IDFA on a user’s device for any purpose. Our aim is always to protect the privacy of our users and our latest software release, iOS 14, is giving users even greater control over whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers.”
The company also said that its “practices comply with European law and support and advance the aims of the GDPR and the ePrivacy Directive, which is to give people full control over their data”.
Third time lucky? EU and US open Privacy Shield talks
Firms face scramble for post-Brexit data transfer deals
US tech giants rocked as Privacy Shield gets the chop
Apple accused of illegally sharing iTunes customer data
Apple, Spotify, Google and Netflix face GDPR data probe
EU agrees Privacy Shield but UK must still toe line
Transatlantic data transfers torpedoed once again
Facebook ‘still using illegal safe harbour agreement’
Apple takes pop at rivals’ data abuse
New ruling halts US data transfer