Regulators say Apple tracking code breaks EU law

Apple's online tracking tool breaks European Union law by letting iPhones store users' data without their consent, according to new complaints filed to Germany and Spain's data protection authorities.

A Vienna-based data privacy organization called noyb (for "none of your business") filed both complaints Monday morning.

Smartphones "are the most intimate device for most people and they must be tracker-free by default," says noyb's privacy lawyer Stefano Rossetti.

Figure 1: (Source: Stock Catalog, CC BY 2.0)

Apple places a tracking code on iOS devices when they are set up, and it does not enable users to give or refuse their consent.

The complaint argues Apple's code functions like a cookie and is in violation of the EU's ePrivacy directive. In force since 2002, the directive says member states must ensure users grant consent before cookies are stored and accessed in their online devices.

This is the first major action against Cupertino-based Apple for violating EU privacy rules, but it comes on the heels of successful privacy actions by the data privacy group against Facebook.

Identity crisis

When an iPhone is set up, it generates an Identifier for Advertisers (IDFA). This code can look like this: 7D902I08D-7846-4CA4-TE6P-83369125YFDC.

The code lets Apple and third-party companies track your online behavior – and charge advertisers to send you targeted ads.

The ePrivacy directive's Article 5(3) says information on a user's device can only be stored or read if a user "is provided with clear and comprehensive information ... inter alia about the purposes of the processing, and is offered the right to refuse such processing."

In June, Apple said with its iOS 14, it will give users the ability to opt in to allowing third-party companies to access the code... but not Apple's.

The company also has pushed these changes back to sometime in early 2021, after worries popular apps would just have stopped functioning.

Digital twins

There is a whole industry based around creating "digital twins," scraping up data and making it easy for companies to categorize users.

Facebook has said that without the ability to personalize them, ads will be spammy. And with lower advertising revenue, users will get a lot less for free.

This might result in you seeing an ad for something you like, says Finn Myrstad, a Norwegian digital privacy expert. But equally, "it might also lead to cascading unintended consequences such as being discriminated [against] based on real or perceived characteristics ... being denied a mortgage or not seeing certain job ads," he argues.

To the Max

Noyb's head is Max Schrems, a 32-year-old Austrian privacy activist and lawyer. He was a law student in the US when he wrote a term paper on Facebook's lack of awareness of EU privacy law.

Building on the term paper, he decided to make a request to Facebook for the company's records on him, using an EU right of access to personal data.

In response, he received a CD containing over 1,200 pages of data. Unimpressed, Schrems filed a complaint with Irish data regulators in 2011. (Facebook has had its European headquarters in Dublin since 2008.)

He's had some preliminary success so far convincing courts — most recently, the European Court of Justice — that the US doesn't provide adequate measures for individual data protection, and that European citizens therefore have a right not to have their data go to America.

The EU has been in the act of updating Europe's data privacy framework with a proposed new ePrivacy regulation.

The proposed regulation takes into account GDPR and aims to establish a "right to a private life" in electronic communications. It has had a somewhat bumpy journey and hasn't yet been adopted.

In another sign it is a growth industry to be one of Apple's lawyers, a group of advertising companies and publishers filed a complaint against Apple with France's competition authority at the end of August.

The privacy changes requiring users to opt in to let apps use their IDFA are anticompetitive, and "will destroy the mobile ad ecosystem while benefiting Apple," they argue.

Related posts:

— Pádraig Belton, contributing editor, special to Light Reading