By Kirsti Knolle
BERLIN (Reuters) – A group led by privacy activist Max Schrems filed complaints on Monday with German and Spanish data protection authorities over Apple’s online tracking tool, saying it breached European law by allowing iPhones to store users’ data without their consent.
It is the first such major action against the U.S. technology group related to European Union privacy rules.
Noyb, the digital rights group run by Schrems, has successfully fought two landmark trials over privacy against Facebook.
Apple said it was not immediately in a position to comment.
The Californian tech giant has previously said it provides users with a superior level of privacy protection. It had announced it would further tighten its rules with the launch of its iOS 14 operating system this autumn but in September said it would delay the plan until early next year.
Noyb’s complaints were brought against Apple’s use of a tracking code that is automatically generated on every iPhone when set up, the so-called Identifier for Advertisers (IDFA).
The code, stored on the device, allows Apple and third parties to track a user’s online behaviour and consumption preferences – vital for the likes of Facebook to be able to send targeted ads that will interest the user.
“Apple places codes that are comparable to a cookie in its phones without any consent by the user. This is a clear breach of European Union privacy laws,” said Noyb lawyer Stefano Rossetti.
Rossetti referred to the EU’s e-Privacy Directive, which requires a user’s prior consent to the installation and use of such information.
Apple’s planned new rules would not change this as they would restrict third-party access but not Apple’s.
Apple accounts for one in every four smartphones sold in Europe, according to Counterpoint Research.
The claims were made on behalf of an individual German and Spanish consumer and handed to the Spanish data protection authority and its counterpart in Berlin, said Noyb.
In Germany, unlike Spain, each federal state has its own data protection authority.
Neither authority immediately replied to requests for comment.
Noyb said the claims were based on the 2002 e-Privacy Directive that allows national authorities to impose fines autonomously, as a way to avoid the lengthy proceedings it faced in its case against Facebook that was based on the EU’s General Data Protection Regulation (GDPR).
The GDPR regime launched in 2018 included a mandatory cooperation mechanism among national authorities, which Noyb says has slowed progress.
Rossetti said the action aimed to establish a clear principle that “tracking must be the exception, not the rule”.
(Reporting by Kirsti Knolle, additional reporting by Douglas Busvine. Editing by Jane Merriman, Louise Heavens and Edmund Blair)