Apple tracks iPhone users without consent, claims activist Max Schrems

Apple is breaking EU law by enabling iPhone users to be tracked without their consent, said the privacy activist Max Schrems in a complaint to German and Spanish regulators.

Mr Schrems’ campaign group, noyb, said the unique tracking code generated by each iPhone, called IDFA (Identifier for Advertisers), lets Apple and all iPhone app developers see how users behave without their knowledge or agreement.

“Just like a licence plate this unique string of numbers and characters allows Apple and other third parties to identify users across applications and even connect online and mobile behaviour (“cross device tracking”),” said noyb in a statement.

“Tracking is only allowed if users explicitly consent to it,” said Stefano Rossetti, a privacy lawyer at noyb. “While Apple introduced functions in their browser to block cookies, it places similar codes in its phones, without any consent by the user.”

Noyb filed the complaint under the EU’s e-Privacy directive, rather than the General Data Protection Regulation (GDPR). As a result, the national data regulators could directly fine Apple without needing the co-operation of EU data protection authorities, if any unlawfulness is found. “We are trying to avoid endless procedures like the ones we are facing in Ireland,” said Mr Rossetti.

Apple said in June that apps would have to ask for permission before accessing a phone’s IDFA in its latest operating system, iOS 14. In addition, the new system offers a privacy dashboard to let users understand the information that their phone’s apps are gathering.

However, Apple then said in September that it would delay the changes, “to give developers the time they need” until “early next year”.

Mr Schrems has already won one landmark case this year, when the European Court of Justice in July passed judgment on the legal protections that previously allowed European data to be relatively freely transferred to the US.

Last week, the European Data Protection Board released updated guidance on data transfers. It emphasised that data exporters had to consider risks such as intelligence services’ access to data objectively — whether they could examine information, rather than whether they were likely to.

Apple said: “The claims made against Apple in this complaint are factually inaccurate and we look forward to making that clear to privacy regulators should they examine the complaint. Apple does not access or use the IDFA on a user’s device for any purpose. Our aim is always to protect the privacy of our users and our latest software release, iOS 14, is giving users even greater control over whether or not they want to allow apps to track them by linking their information with data from third parties for the purpose of advertising, or sharing their information with data brokers. Our practices comply with European law and support and advance the aims of the GDPR and the e-Privacy Directive, which is to give people full control over their data.”