A group led by privacy activist Max Schrems filed complaints on Monday (16 November) with German and Spanish authorities over Apple’s online tracking tool, saying it breached European law by allowing iPhones to store users’ data without their consent.
It is the first such major action against the U.S. technology group related to European Union privacy rules.
Noyb, the digital rights group run by Schrems, has successively fought two landmark privacy cases against Facebook.
Apple said it was not immediately in a position to comment.
The company previously said it provided users with a superior level of privacy protection. The Californian tech giant had said it would further tighten its rules with the launch of its iOS 14 operating system this autumn but in September said it would delay the plan until early next year.
Noyb’s complaints were brought against Apple’s use of a tracking code that is automatically generated on every iPhone when set up, the so-called Identifier for Advertisers (IDFA).
The code, stored on the device, allows Apple and third parties to track a user’s online behaviour and consumption preferences – vital for the likes of Facebook to be able to send targeted ads that will interest the user.
“Apple places codes that are comparable to a cookie in its phones without any consent by the user. This is a clear breach of European Union privacy laws,” said Noyb lawyer Stefano Rossetti.
Rossetti referred to the EU’s e-Privacy Directive, which requires a user’s consent before installation and using such information.
Apple’s planned new rules would not change this as they would restrict third-party access but not Apple’s.
Apple accounts for one in every four smartphones sold in Europe, according to Counterpoint Research.
The claims were made on behalf of an individual German and Spanish consumer and handed to the Spanish data protection authority and its counterpart in Berlin, said Noyb.
Spain’s privacy protection agency confirmed it received a complaint from Noyb against Apple but declined to comment.
The Berlin agency had no comment. In Germany, each federal state has its own data protection authority.
Noyb said the claims were based on the 2002 e-Privacy Directive that allows national authorities to impose fines autonomously, avoiding lengthy proceedings it faced in its case against Facebook that was based on the EU’s General Data Protection Regulation (GDPR).
The GDPR regime launched in 2018 included a mandatory cooperation mechanism among national authorities, which Noyb says has slowed progress.
Rossetti said the action aimed to establish a clear principle that “tracking must be the exception, not the rule”.
Apple faced an antitrust complaint in France last month in which advertising groups objected to the planned privacy changes, saying they gave Apple an unfair advantage.
While Schrems has won legal victories in Europe against Facebook’s privacy practices, the U.S. social network has been able to adapt its targeted online advertising model.