Berlin: A group led by privacy activist Max Schreams on Monday filed complaints with German and Spanish data protection authorities about Apple’s online tracking tool, claiming that it allows iPhones to store users’ data without their consent in violation of European law.
It is the first such large measure against the American tech group regarding European Union privacy rules.
Apple did not immediately respond to a request for comment.
The California tech giant says it provides users with a higher level of privacy protection.
The company had announced it would tighten its rules further with the launch of its iOS 14 operating system this fall, but said in September it would delay the plan until early next year.
The complaints were filed by the Noyb digital rights group against Apple’s use of a tracking code that is automatically generated on every iPhone when it is set up, called an Advertiser Identifier (IDFA).
The code stored on the device allows Apple and third parties to track user online behavior and consumption preferences – which is vital for the likes of Facebook to be able to send you targeted ads that spark user interest.
“Apple places cookies on its phones that can be compared to a cookie without the user’s consent. This is a clear violation of privacy laws in the European Union,” said Stefano Rossetti, Neube’s lawyer.
Rosetti referred to the European Union Directive on Electronic Privacy, which requires the user’s prior consent to the installation and use of this information.
Apple’s planned new rules will not change this as they will restrict third-party access but not Apple’s.
Apple has one in every four smartphones sold in Europe, according to Counterpoint Research.
The claims were filed on behalf of individual German and Spanish consumers and handed over to the Spanish data protection authority and its counterpart in Berlin, says Neub, a privacy advocacy group led by Austrian firm Schrems that has successfully fought two notable trials against Facebook.
In Germany, unlike Spain, each federal state has its own data protection authority.
Both authorities did not immediately respond to requests for comment.
Rossetti said the action was not about high ends but rather aimed at establishing a clear principle: “The pursuit must be the exception, not the rule.”
“IDFA should not only be restricted, it should be deleted permanently,” he said.
National data protection authorities have the power to directly fine companies for breaching European law under the Electronic Privacy Directive.
Neub, who has filed several complaints against Facebook and Google in Ireland and complained that the National Data Protection Commission is slow to take action, said she hopes the Spanish and German authorities will act more quickly.