The Austrian lawyer and privacy campaigner Max Schrems—whose activism has destroyed two transatlantic data-sharing deals and driven Europe-U.S. data flows into legal purgatory—has generally not had a huge problem with Apple. Until now.
It’s not that Schrems and his NOYB (“None of your business”) organization have never targeted Apple before—they made a complaint in early 2019 about its failure, and that of many other Big Tech firms, to give people all the data about them that they can lawfully demand. But their main targets have generally been Google and the big social media firms, Facebook in particular.
That changed Monday, when NOYB made dual complaints, in Spain and Germany, about Apple’s user tracking.
According to the privacy group, Apple’s iOS mobile operating system breaks the EU’s so-called cookie law by creating a tracking code without users’ knowledge or consent. This identifier for advertisers (IDFA) allows Apple and app providers to monitor what users are doing and build profiles for targeted advertising.
‘Clear breach’
“EU law protects our devices from external tracking,” said NOYB lawyer Stefano Rosetti in a statement. “Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws.”
Apple devices have been flagging up their unique identities to app developers using IDFA for the better part of a decade now.
This year, Apple said it would stop third parties from accessing the codes without explicit user consent—a scenario that involves clearly informing people about how apps and websites aid their surveillance—but it delayed the change until next year following complaints from Facebook and the ad industry.
According to NOYB, even when this change materializes, it will not be enough to keep Apple on the right side of the law—because it won’t stop the company itself from tracking users without their explicit consent.
“We believe that Apple violated the law before, now, and after these changes. With our complaints we want to enforce a simple principle: Trackers are illegal, unless a user freely consents. The IDFA should not only be restricted but permanently deleted,” said Rosetti. “Smartphones are the most intimate device for most people, and they must be tracker-free by default.”
Apple strongly denies the claims.
“The claims made against Apple in this complaint are factually inaccurate, and we look forward to making that clear to privacy regulators should they examine the complaint,” it said in an emailed statement. “Apple does not access or use the IDFA on a user’s device for any purpose.”
In case Google thinks it might be escaping attention here, NOYB added that it is also reviewing the Google ad identifier, its equivalent to Apple’s IDFA.
Speed hopes
It should be noted that the law in question here—the nearly two-decades-old e-Privacy Directive—is completely separate from the EU’s much-feared General Data Protection Regulation (GDPR) of 2018.
NOYB believes complaining under the older law (whose modernization has been repeatedly delayed) will allow for a swifter resolution, even though the maximum fines are much lower under that law than they are under the GDPR.
NOYB has outstanding complaints against a host of companies, most notably Facebook, but none have reached a conclusion yet, despite the introduction of the GDPR two and a half years ago. (Schrems’s crew launched the first volley of complaints mere hours after that law came into effect.)
This article was updated to include Apple’s statement.
