Apple is breaking EU law by enabling iPhone users to be tracked without their consent, said the privacy activist Max Schrems in a complaint to German and Spanish regulators.
Mr Schrems’ campaign group, noyb, said the unique tracking code generated by each iPhone, called IDFA (Identifier for Advertisers), lets Apple and all iPhone app developers see how users behave without their knowledge or agreement.
“Just like a licence plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”),” said noyb in a statement.
“Tracking is only allowed if users explicitly consent to it,” said Stefano Rossetti, a privacy lawyer at noyb. “While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user.”
Noyb filed the complaint under the EU’s e-privacy directive, rather than the General Data Protection Regulation (GDPR). As a result, the national data regulators could directly fine Apple without needing the co-operation of EU data protection authorities, if any unlawfulness is found. “We are trying to avoid endless procedures like the ones we are facing in Ireland,” said Mr Rossetti.
Apple said in June that apps would have to ask for permission before accessing a phone’s IDFA in its latest operating system, iOS 14. In addition, the new system offers a privacy dashboard to let users understand the information that their phone’s apps are gathering.
However, Apple then said in September that it would delay the changes, “to give developers the time they need” until “early next year”.
Mr Schrems has already won one landmark case this year, when the European Court of Justice in July passed judgment on the legal protections that previously allowed European data to be relatively freely transferred to the US.
Last week, the European Data Protection Board released updated guidance on data transfers. It emphasised that data exporters had to consider risks such as intelligence services’ access to data objectively — whether they could examine information, rather than whether they were likely to.
Apple didn’t immediately reply for a request for comment.