French startup lobby targets Apple with ‘privacy hypocrisy’ complaint

Apple is facing another privacy complaint in Europe: A startup lobby group, France Digitale, has asked the country’s data protection watchdog to investigate alleged breaches of EU rules.

The complaint, reported earlier by Politico, follows two similar complaints lodged in Germany and Spain by EU privacy campaign group noyb last year.

All these complaints are (directly and indirectly) targeting Apple’s IDFA — aka its mobile device Identifier for Advisers — with noyb arguing Apple should be gathering consent from users in the EU prior to assigning this unique device (whose purpose is, as the name suggests, to enable device tracking for ad targeting).

France Digitale’s complaint also raises competition concerns, pointing to a looming switch by Apple — to require opt-in for third-party apps to track users — and contrasting that with a “personalized advertising” setting in iOS which it says lets Apple track users and is switched on by default.

It suggests that default is contrary to requirements under EU law (citing consent standards in the European Union’s General Data Protection Regulation; GDPR).

The France Digitale complaint also raises questions over the level of data access Apple provides iOS users related to the ad targeting it carries out — saying users are only provided with “generic data (year of birth, sex, location)”, rather than fuller targeting data.

In a statement responding to the complaint, an Apple spokesperson told us:

The allegations in the complaint are patently false and will be seen for what they are, a poor attempt by those who track users to distract from their own actions and mislead regulators and policymakers. Transparency and control for the user are fundamental pillars of our privacy philosophy, which is why we’ve made App Tracking Transparency equally applicable to all developers including Apple. Privacy is built into the ads we sell on our platform with no tracking. We hold ourselves to a higher standard by allowing users to opt out of Apple’s limited first-party data use for personalized advertising, a feature that makes us unique.

The CNIL has also been contacted for comment on the complaint. Update: A spokesperson told us: “The France Digitale complaint against Apple has been registered. An enquiry will be opened.”

The latest IDFA-related complaint against Apple is a little unusual as it’s not coming from a privacy group — but a startup lobby.

Evidently, though, Apple’s decision to switch to requiring opt-in from iOS users to third-party tracking (rather than opt out) is ruffling feathers. (The move also led to a publisher lobby group in France to file a competition complaint last year). The not-so-subtle subtext, here, is Apple is being accused of privacy hypocrisy.

Asked why France Digitale is making a privacy complaint against Apple, a spokesman told TechCrunch: “Startups play by the rules. We expect the world’s largest tech company to do so. We believe no scale-up can thrive without a regulatory level-playing field.”

“We are merely asking the CNIL to enforce the law. Privacy watchdogs investigate our startup members all the time. Lets them use their expertise on the bigger cats,” he added.

While the group has attracted some quick publicity with the complaint to the CNIL, under GDPR’s one-stop-shop mechanism the matter would have to be referred to Ireland’s Data Protection Commission — which is Apple’s lead data supervisor in the EU — which would then take a decision on whether or not to investigate. So there’s unlikely to be any quick regulatory action on this issue.

However if the CNIL decides the matter falls under the EU’s ePrivacy Directive it could take (speedier) action itself, as it has recently in cases against Amazon and Google related to cookie consent. A spokesperson for the regulator said it cannot confirm whether the complaint will be investigated under GDPR or ePrivacy as yet. “For the moment, we can’t answer. We have to analyze in detail what has been sent to us,” they said.

This report was updated to clarify that it’s not yet clear whether the investigation will fall under GDPR or the ePrivacy Directive and to add comment from the CNIL