Complaints by digital rights group Noyb have been filed against Apple's use of an automatically generated tracking code on every iPhone during its setup, the so-called Identifier for Advertisers (IDFA). (REUTERS)

Privacy activist files complaints against Apples tracking tool

A group led by privacy activist Max Schrems lodged a complaint with German and Spanish data protection authorities on Monday over Apple’s online tracking tool, saying it allowed iPhones to store user data without their consent, in violation of European law.

This is the first major action of its kind against the US tech group over European Union privacy rules.

Apple did not immediately respond to a request for comment.

The California tech giant says it offers users a higher level of privacy protection. The company had said it would tighten its rules even further with the launch of its iOS 14 operating system this fall, but in September it announced it would delay the plan until early next year.

Complaints by digital rights group Noyb have been filed against Apple’s use of an automatically generated tracking code on every iPhone during its setup, the so-called Identifier for Advertisers (IDFA).

The code, stored on the device, allows Apple and third parties to track a user’s online behavior and consumption preferences, which is essential for Facebook to send targeted ads that will be of interest to the user.

Apple places cookie-like codes on their phones without user consent. This is a flagrant violation of European Union privacy laws, Noyb lawyer Stefano Rossetti said.

Rosetti referred to the European Online Privacy Directive, which requires a user’s prior consent for the installation and use of this information.

The new rules planned by Apple would not change this because they would restrict third party access but not that of Apple.

Apple represents one in four smartphones sold in Europe, according to Counterpoint Research.

The claims were made on behalf of a German and Spanish consumer and forwarded to the Spanish data protection authority and its counterpart in Berlin, said Noyb, a privacy group led by Austria’s Schrems who successfully fought two landmark lawsuits against Facebook.

In Germany, unlike Spain, each federal state has its own data protection authority.

The two authorities did not immediately respond to requests for comment.

Rossetti said the action was not about high fines but rather aimed to establish a clear principle that “follow-up should be the exception, not the rule”.

IDFA should not only be restricted, but permanently abolished, he said.

National data protection authorities have the power to impose direct fines on companies for violating EU law under the Online Privacy Directive.

Noyb, who has filed several complaints against Facebook and Google in Ireland and complained that the National Data Protection Commission is slow to act, said he hopes authorities in Spain and Germany will act more quickly.