Privacy Group Files Complaint Over iOS TrackingMax Schrems' NOYB Organization Says Default on iPhone Breaks EU Privacy Laws
NOYB, a privacy group run by Austrian Max Schrems, has filed complaints against Apple with Spanish and German data protection regulators alleging the company's Identifier for Advertisers breaks European Union privacy laws by allowing Apple and all apps on the iPhone to track a user without consent.
See Also: Case Study: The Road to Zero Trust
In a statement, NOYB, a nonprofit whose name stands for "none of your business," notes: "Apple places these tracking codes without the knowledge or agreement of the users. NOYB therefore filed two complaints against the company," with partner Xnet assisting in Spain.
Unique Identifier for Advertisers, or IDFAs, are automatically generated for each iPhone so that Apple and third parties can identify users across applications and connect online and mobile behavior, which is called "cross device tracking."
Schrems says this type of online identifier acts like a cookie as defined under the so-called EU Cookie Law, which means it requires the user's informed and unambiguous consent. Because the complaints are filed through the EU's e-Privacy Directive and not General Data Protection Regulation, this should speed up a ruling, he says.
"Tracking is only allowed if users explicitly consent to it," says Stefano Rossetti, a privacy lawyer at NOYB. "This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws."
An Apple spokesperson could not be immediately reached for comment.
Outlook in Spain, Germany
The German and Spanish complaints should be treated differently, says Elena Riazanova, founder and senor privacy consultant at Security Trend Ltd., which provides data protection consulting.
Spanish judges often apply the wording of the law exactly, without considering implications for business or seeking advice of the Court of Justice of the European Union. She cited the 2019 ruling in the Vueling Airline case, where the company did not provide a tool aimed at managing cookies on its website and was given the maximum fine of 30,000 euros ($35,000) under Spanish law.
"Starting from the iOS 10, Apple provided an opt-out tool to avoid an IDFA tracking case relying on legitimate interests to collect IDFA or implied consent," Riazanova says. "However, since the implementation of GDPR, the definition of consent changed and the implied consent was not valid anymore. … Apple continued accessing IDFAs by default and also allowing other apps to access it, without providing a new opt-in option for users to consent the access to it."
Consequently, Riazanova says Apple might also receive the maximum 30,000 euros ($35,000) fine in Spain.
In Germany, the Planet49 cookie case clarified that a pre-ticked checkbox does not equal consent, which has to be explicit, not implied. Now Planet49 must obtain valid consent for tracking or face fines of up to 50,000 euros ($59,000) under GDPR if cookie consent alone is missing.
Commenting on how Apple might fight the complaints, Riazanova notes: "Apple as the phone operating system owner has other ways of uniquely identifying users that are not available for app developers, like UUID [Universally Unique Identifier], that it also uses for security and to analyze preferences." Therefore, Apple could claim it only uses IDFA when the user has given explicit consent to sharing it with a certain app.
While Apple published a notification about changes to the IDFA systems that it uses within its iPhones, "these changes seem to restrict the use of the IDFA for third parties (but not for Apple itself)," according to the NOYB complaint. "Just like when an app requests access to the camera or microphone, the plans foresee a new dialog that asks the user if an app should be able to access the IDFA. However, the initial storage of the IDFA and Apple’s use of it will still be done without the users’ consent and therefore in breach of EU law. It is unclear when and if these changes will be implemented by the company."
Rossetti says NYOB “wants to enforce a simple principle: Trackers are illegal unless a user freely consents. The IDFA should not only be restricted, but permanently deleted. Smartphones are the most intimate device for most people, and they must be tracker-free by default."
NOYB notes that Google and its Android devices use a similar tracking system, which the organization is also currently reviewing.
NOYB's Previous Wins
Over the past several years, NOYB has won cases against other large tech companies by using GDPR's right to privacy provisions. Schrems argued that the transfer of his personal data by Facebook Ireland to its parent company in the U.S. made it vulnerable to U.S. government snooping. The case against Facebook led to the company changing how it handles user data in the EU.
It also resulted in Europe's highest court invalidating the Privacy Shield, an EU-U.S. data-sharing agreement, on the grounds that it offers insufficient privacy safeguards for Europeans (see: European Court Drops 'Privacy Shield' Over US Surveillance).