A group led by privacy activist Max Schrems has filed complaints with German and Spanish data protection authorities over Apple’s internet tracking tool, alleging that it allows iPhones to store users’ data without their consent in breach of EU law.
It is the first such major action against the US tech titan in regards to European Union privacy rules.
The Californian tech giant says it provides users with a superior level of privacy protection. The company had announced it would further tighten its rules with the launch of its iOS 14 operating system this autumn but in September said it would delay the plan until early next year.
The complaints by digital rights group Noyb were brought against Apple’s use of a tracking code that is automatically generated on every iPhone when it is set up, the so-called Identifier for Advertisers (IDFA).
The code, stored on the device, allows Apple and third parties to track a user’s online behaviour and consumption preferences – vital for the likes of Facebook to be able to send targeted ads that will interest the user.
“Apple places codes that are comparable to a cookie in its phones without any consent by the user. This is a clear breach of European Union privacy laws,” said Noyb lawyer Stefano Rossetti.
Rosetti referred to the EU’s e-Privacy Directive, which requires a user’s prior consent to the installation and use of such information.
Apple’s planned new rules would not change this as they would restrict third-party access but not Apple’s.
Apple accounts for one in every four smartphones sold in Europe, according to research vendor Counterpoint Research.
The claims were made on behalf of an individual German and Spanish consumers and handed to the Spanish data protection authority and its counterpart in Berlin, said Noyb, a privacy advocacy group led by Austrian Schrems that has successfully fought two landmark trials against Facebook.
In Germany, unlike Spain, each federal state has its own data protection authority.
Both authorities did not immediately reply to requests for comment.
Rossetti said the action was not about high fines but rather aimed at establishing a clear principle whereby “monitoring has to be the exception, not the rule”.
“The IDFA should not only be restricted, but forever deleted,” he said.
National data security authorities have the power to directly fine companies for breaching European law under the e-Privacy Directive.
Noyb, which has filed numerous complaints against Facebook and Google in Ireland and whined the national data protection commission was slow to do so, said it expected for the Spanish and German governments to act more quickly.
The team at Platform Executive hope you have enjoyed this news article. Initial reporting via our official content partners at Thomson Reuters. Reporting by Kirsti Knolle. Editing by Jane Merriman and Louise Heavens.
Stay on top of the latest developments across the platform economy and gain access to our problem-solving tools, proprietary databases and content sets by becoming a premium member. Subscription plans start at under $7 per month.