The Austrian lawyer and privacy campaigner Max Schrems—whose activism has destroyed two transatlantic data-sharing deals and driven Europe-U.S. data flows into legal purgatory—has generally not had a huge problem with Apple. Until now.
It’s not that Schrems and his NOYB (“None of your business”) organization have never targeted Apple before—they made a complaint in early 2019 about its failure, and that of many other Big Tech firms, to give people all the data about them that they can lawfully demand. But their main targets have generally been Google and the big social media firms, Facebook in particular.
According to the privacy group, Apple’s iOS mobile operating system breaks the EU’s so-called “cookie law” by creating a tracking code without users’ knowledge or consent. This Identifier for Advertisers (IDFA) allows Apple and app providers to monitor what users are doing and build profiles for targeted advertising.
“EU law protects our devices from external tracking,” said NOYB lawyer Stefano Rosetti in a statement. “Tracking is only allowed if users explicitly consent to it. This very simple rule applies regardless of the tracking technology used. While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user. This is a clear breach of EU privacy laws.”
Apple devices have been flagging up their unique identities to app developers using IDFA for the best part of a decade now.
This year, Apple said it would stop third parties from accessing the codes without explicit user consent—a scenario that involves clearly informing people about how apps and websites aid their surveillance—but it delayed the change until next year following complaints from Facebook and the ad industry.
According to NOYB, even when this change materializes, it will not be enough to keep Apple on the right side of the law—because it won’t stop the company itself from tracking users without their explicit consent.
“We believe that Apple violated the law before, now and after these changes. With our complaints we want to enforce a simple principle: trackers are illegal, unless a user freely consents. The IDFA should not only be restricted, but permanently deleted,” said Rosetti. “Smartphones are the most intimate device for most people and they must be tracker-free by default.”
In case Google thinks it might be escaping attention here, NOYB added that it is also reviewing the Google Ad Identifier, its equivalent to Apple’s IDFA.
It should be noted that the law in question here—the nearly two-decade-old e-Privacy Directive—is completely separate from the EU’s much-feared General Data Protection Regulation (GDPR) of 2018.
NOYB believes complaining under the older law (whose modernization has been repeatedly delayed) will allow for a swifter resolution, even though the maximum fines are much lower under that law than they are under the GDPR.
NOYB has outstanding complaints against a host of companies, most notably Facebook, but none have reached a conclusion yet, despite the introduction of the GDPR two and a half years ago (Schrems’s crew launched the first volley of complaints mere hours after that law came into effect.)
Apple had not responded to a request for comment at the time of publication.
More must-read tech coverage from Fortune:
- Hackers are trying to disrupt and steal COVID-19 vaccine research
- Here’s how President-elect Biden plans to tackle online abuse
- What’s in a name? For Tesla’s Full Self Driving, it may be danger
- What my day on conservative social network Parler was like
- He’s worried A.I. may destroy humanity. Just don’t confuse him with Elon Musk