The consumer rights activist Max Schrems has filed a formal privacy case against Apple, arguing that an ID generated by iPhones that lets advertisers track users violates privacy regulations.
Schrems, whose lawsuit against Facebook led to a landmark ruling restricting data transfers from the EU to the US, has made the case through his privacy rights non-profit Noyb, which has filed formal complaints in Spain and Berlin against Apple.
At the core of the complaint is Apple’s generation of the IDFA (Identifier for Advertisers) on each iPhone. Advertisers can then use the IDFA to track users across various apps, and better target them for personalised advertising.
The idea behind the tool is to improve user privacy by stopping advertisers using other identifiers to track users, and allowing users to reset the IDFA at will.
But, Noyb argues, simply generating it could breach EU privacy law, since it is created without the user’s “knowledge or consent”. And while users are given control over whether they reset the identifier, and allowed to prevent individual apps from accessing it, they cannot, Noyb says, prevent it from being generated in the first place.
“EU law protects our devices from external tracking,” said Stefano Rossetti, a privacy lawyer at Noyb. “Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in its browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws.
“With our complaints we want to enforce a simple principle: trackers are illegal, unless a user freely consents. The IDFA should not only be restricted, but permanently deleted. Smartphones are the most intimate device for most people, and they must be tracker-free by default.”
In a statement, Apple strongly denied Noyb’s complaints had merit. “The claims made against Apple in this complaint are factually inaccurate and we look forward to making that clear to privacy regulators should they examine the complaint. Apple does not access or use the IDFA on a user’s device for any purpose.
“Our aim is always to protect the privacy of our users and our latest software release, iOS 14, is giving users even greater control over whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers. Our practices comply with European law and support and advance the aims of the GDPR and the ePrivacy directive, which is to give people full control over their data.”
Although much of the EU’s privacy law is regulated by GDPR (general data protection regulation), which would place the power to act in the hands of the Irish data protection authority based on the location of the company’s EU HQ, Noyb’s complaint is based on the older e-privacy directive. That means that Germany or Spain could decide to directly fine Apple if they agree with the criticism.
Despite the privacy complaint, Apple has more frequently faced criticism over its IDFA feature from the other side of the divide: advertisers panicked when early beta versions of iOS 14, the latest operating system for iPhones, required an active warning before developers could read the IDFA – and offered users the ability to not share it. That feature was pulled at the last minute, and will now not be live until 2021.