Apple CEO Tim Cook reveals the new iPhone 12.
LONDON — Apple on Monday found itself the target of two complaints from Austrian privacy activist Max Schrems, who has successfully fought Facebook in historic legal battles twice before.
Schrems’ Vienna-based non-profit group, Noyb, filed complaints in Germany and Spain alleging Apple’s use of a tracking code on iPhones, called IDFA, breaches European law.
IDFA, or Identifier for Advertisers, is a unique device ID number used by advertisers to better target ads and estimate their effectiveness. The practice doesn’t yet require user consent, and Noyb argues this is required under EU privacy rules.
“The IDFA is placed into the device without the user’s consent,” Stefano Rosetti, data protection lawyer at Noyb, told CNBC. “We find that this constitutes a violation of the so-called “cookie law” … which prohibits the installation of trackers of any sort without the user consent.”
Apple was not immediately available for comment when contacted by CNBC.
Apple had originally planned to require developers on its iOS mobile operating system to allow users to opt out of such tracking. But it took the decision to delay this change to early 2021 after warnings over the impact it could have on Facebook and other mobile advertisers.
However, Noyb’s Rosetti doesn’t think this feature would make a difference.
“It’s not clear, for example, if the tracker will still be created and then some sort of technical mechanism will hinder third parties from accessing it,” he said. “And what about Apple? Will the company access the tracker? Again it’s not clear.”
“In a sense, it does not concern this action because … our point is that the tracker should not be created/installed in the first place (at least without the user’s informed and freely given consent).”
Noyb said its complaints weren’t based on GDPR — a major piece of EU legislation that allows authorities to impose hefty fines — meaning the Spanish and German regulators can fine Apple directly without having to cooperate with other data protection authorities in the bloc.
Schrems has risen to fame in the last decade for taking on Facebook over the transfer of European citizens’ data to the U.S. He argued that, in light of revelations from American whistleblower Edward Snowden, U.S. law did not offer sufficient protection against surveillance by public authorities.
His first major victory came in 2015 when he successfully brought down the EU’s Safe Harbor agreement on EU-U.S. data transfers. Five years later, the European Court of Justice agreed with Schrems that a new framework called the Privacy Shield doesn’t adequately protect the privacy of Europeans.
It’s a major development that means companies moving people’s personal data from the EU to other jurisdictions will have to provide the same protections given inside the bloc. Facebook has clashed with Ireland’s data protection watchdog over the matter, arguing it could threaten its EU operations.