Apple hit with two privacy complaints in Europe over its mobile tracking tool for advertisers

Key Points
  • Austrian privacy activist Max Schrems' non-profit group Noyb alleges Apple's use of a tracking code on iPhones breaches European law.
  • Apple had originally planned to require app developers to ask users if they want to opt-in to such tracking, but it has delayed this feature.
  • Schrems has risen to fame in the last decade for taking on Facebook over the transfer of European citizens' data to the U.S.
Apple CEO Tim Cook reveals the new iPhone 12.

LONDON — Apple on Monday found itself the target of two complaints from Austrian privacy activist Max Schrems, who has successfully fought Facebook in historic legal battles twice before.

Schrems' Vienna-based non-profit group, Noyb, filed complaints in Germany and Spain alleging Apple's use of a tracking code on iPhones, called IDFA, breaches European law.

IDFA, or Identifier for Advertisers, is a unique device ID number used by advertisers to better target ads and estimate their effectiveness. Noyb argues the tool is created and stored on Apple devices without user consent.

"The IDFA is placed into the device without the user's consent," Stefano Rosetti, data protection lawyer at Noyb, told CNBC. "We find that this constitutes a violation of the so-called "cookie law" ... which prohibits the installation of trackers of any sort without the user consent."

Apple disputed Noyb's complaints in a statement Monday, saying its practices "comply with European law" and that its latest software release, iOS 14, gives users "greater control" over ad tracking.

"The claims made against Apple in this complaint are factually inaccurate and we look forward to making that clear to privacy regulators should they examine the complaint," a spokesperson for the company said. "Apple does not access or use the IDFA on a user's device for any purpose."

Apple — which already allows users to opt-out of personalized advertising in their phone's settings — had originally planned to require app developers on its iOS mobile operating system to ask users if they want to opt-in to such tracking.

But it took the decision to delay this change to early 2021 after warnings over the impact it could have on Facebook and other mobile advertisers. Nevertheless, Noyb's Rosetti doesn't think the company's new feature would make much of a difference.

"It's not clear, for example, if the tracker will still be created and then some sort of technical mechanism will hinder third parties from accessing it," he said. "And what about Apple? Will the company access the tracker? Again it's not clear."

"In a sense, it does not concern this action because ... our point is that the tracker should not be created/installed in the first place (at least without the user's informed and freely given consent)."

Noyb said its complaints weren't based on GDPR — a major piece of EU legislation that allows authorities to impose hefty fines — meaning the Spanish and German regulators can fine Apple directly without having to cooperate with other data protection authorities in the bloc.

Schrems has risen to fame in the last decade for taking on Facebook over the transfer of European citizens' data to the U.S. He argued that, in light of revelations from American whistleblower Edward Snowden, U.S. law did not offer sufficient protection against surveillance by public authorities.

His first major victory came in 2015 when he successfully brought down the EU's Safe Harbor agreement on EU-U.S. data transfers. Five years later, the European Court of Justice agreed with Schrems that a new framework called the Privacy Shield doesn't adequately protect the privacy of Europeans.

It's a major development that means companies moving people's personal data from the EU to other jurisdictions will have to provide the same protections given inside the bloc. Facebook has clashed with Ireland's data protection watchdog over the matter, arguing it could threaten its EU operations.