Austrian Privacy Watchdog NOYB Accuses Apple and Others of Failing to Comply With GDPR in Europe

Discussion in 'iOS Blog Discussion' started by MacRumors, Jan 18, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Austrian non-profit organization NOYB, the "European Center for Digital Rights," has reportedly filed a complaint against Apple and seven other tech companies for allegedly failing to comply with GDPR in the European Union.

    [​IMG]

    NOYB said it tested each company's compliance with GDPR by requesting private data held about 10 users and found that "no service fully complied."

    "Many services set up automated systems to respond to access requests, but they often don't even remotely provide the data that every user has a right to," said NOYB founder Max Schrems. "This leads to structural violations of users' rights, as these systems are built to withhold the relevant information."

    Other companies named in the complaint include Amazon, Netflix, Spotify, YouTube, and three more, according to Reuters.

    GDPR was implemented in May 2018 and gives European Union residents the right to access any personal data a company has stored on them. The regulation led Apple to launch a Data and Privacy portal that allows its customers to download a copy of any data associated with their Apple ID account that Apple maintains.

    Article Link: Austrian Privacy Watchdog NOYB Accuses Apple and Others of Failing to Comply With GDPR in Europe
     
  2. whooleytoo macrumors 604

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #2
    It's a bit ironic that this story appears now, juxtaposed with Apple appealing for more privacy regulation in the U.S.?
     
  3. darkcompass macrumors member

    darkcompass

    Joined:
    Aug 22, 2018
    #3
    The data portal is alive and well, I'd like to know what their criteria were, home pod requests maybe?
     
  4. lec0rsaire macrumors 65816

    Joined:
    Feb 23, 2017
    #4
    Yeah, I think they should go after those who just stole nearly 800 million e-mail addresses instead of worrying about this petty crap.
     
  5. Kynmore macrumors member

    Kynmore

    Joined:
    Aug 3, 2011
    #5
    I did the data portal thing, and got a copy of all my data, and I don't know what they think is missing; what i received was pretty thorough.
     
  6. ___joshuaturner macrumors newbie

    ___joshuaturner

    Joined:
    Dec 15, 2017
    #6
    That's not a new breach, it's just a collection of previous leaks.
     
  7. lec0rsaire macrumors 65816

    Joined:
    Feb 23, 2017
    #7
    Still it’s much more serious than this and they have several other batches. It’s unacceptable that no one is held to account for these breaches.
     
  8. foobarbaz, Jan 18, 2019
    Last edited: Jan 18, 2019

    foobarbaz macrumors 6502a

    Joined:
    Nov 29, 2007
    #8
    It's rather short-term to try and punish those who lost data. It won't prevent any further breaches, because every company thinks they are "secure" and it won't happen to them.

    It's better to prevent companies from needlessly collecting data in the first place, since those are just breaches waiting to happen. At the very least we should know what data we're putting at risk by allowing those companies to collect it.
     
  9. lec0rsaire macrumors 65816

    Joined:
    Feb 23, 2017
    #9
    How do you expect companies to provide services without e-mail address and password credentials?
     
  10. pat500000 macrumors G3

    pat500000

    Joined:
    Jun 3, 2015
  11. Woyzeck macrumors 6502

    Joined:
    Nov 2, 2012
    #11
    One of the reasons for GDPR is that companies with data leaks can now be held accountable.
     
  12. Morris macrumors regular

    Joined:
    Dec 19, 2006
    Location:
    London, Europe
    #12
    NOYB is a non-profit privacy campaign group. Stealing of email addresses is a criminal activity.

    What do you expect NOYB to do? Write an angry blog post about it? Start a civil suit against an unknown criminal?
     
  13. David G., Jan 18, 2019
    Last edited: Jan 18, 2019

    David G. macrumors 65816

    Joined:
    Apr 10, 2007
    Location:
    Alaska
    #13
    Be replacing the email requirement with just a username? Obviously this is not suitable for all situations but it is for many.
     
  14. Doctor Q Administrator

    Doctor Q

    Staff Member

    Joined:
    Sep 19, 2002
    Location:
    Los Angeles
    #14
    To evaluate this report, we need details. What exactly did Apple (and others) omit when responding to these private data requests?

    I'm guessing that this is less about resistance to the spirit of the law and more about agreeing or disagreeing on what constitutes private data, fixing oversights, and working out any implementation bugs.
     
  15. fairuz macrumors 68000

    fairuz

    Joined:
    Aug 27, 2017
    Location:
    Silicon Valley
    #15
    I was hoping they'd be lax on GDPR. Otherwise they can always find something a company's not doing perfectly. There's already the data portal; idk what else these people want.
     
  16. kdarling macrumors P6

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    First university coding class = 47 years ago
    #16
    No need to guess. Just click on the NOYB link in the lead post, and then on the pdf link to the actual complaint.

    In it, they specifically lay out what GDPR data access requirements each company is alleged to have failed to comply with. They list about nine for Apple Music, in a detailed eight page legal complaint.
     
  17. Doctor Q, Jan 19, 2019
    Last edited: Jan 19, 2019

    Doctor Q Administrator

    Doctor Q

    Staff Member

    Joined:
    Sep 19, 2002
    Location:
    Los Angeles
    #17
    Thanks.

    Here are their complaints about Apple Music, which I summarize with slight editing for brevity and grammar:

    In the downloaded personal information, Apple didn't include the following:
    1. The user's "cookies, online identifiers, tracking technologies, beacons, IP addresses, pixels tags or device identifiers," which they claim is part of a user's personal information.
    2. The "exact purposes for which personal data is undergoing processing."
    3. Identification of the "strategic partners that work with Apple to provide products and services."
    4. "Justification for retention" of personal information, to comply with the "principle of storage limitation."
    5. "The envisaged retention period of each category of personal data."
    6. "Information about the existence of a right to request rectification or erasure of personal data, restriction of processing of personal data, or to object to such processing," or to "lodge a complaint with a supervisory authority."
    7. "The sources of the personal data," including from third parties.
    8. "The countries to which personal data is transferred and the safeguards for those countries."
    9. Usable data formats. They claim the raw data (in CSV and JSON formats) was "incomprehensible" and that Apple didn't provide software to read the files and make them understandable.
    They end by claiming that Apple could be subject to a maximum fine of about € 8.02 billion for these violations.

    Apple's lawyers could quibble about some or all of these. For example, there's information about some of these topics on Apple's Privacy Policy page. On your privacy page it's made quite clear that you can correct or delete your data. And TextEdit, Numbers, and Xcode can open the CSV and JSON files although they don't help you interpret the content.
     
  18. entropys macrumors 6502

    entropys

    Joined:
    Jan 5, 2007
    Location:
    Brisbane, Australia
    #18
    By design, of course. Never underestimate the zeal of a regulator. Cost or practicality is irrelevant. They are of a different mindset to ordinary people. And not in a good way. If they get a set on you, they will Find. A. Way. And the Euros are best at that.
     
  19. Loki.Mephisto macrumors 6502

    Loki.Mephisto

    Joined:
    Feb 12, 2005
    Location:
    Germany / Austria - Mozart, no Kangaroos!
    #19
    They are lax on GDPR actually. In particular, die Austrian government issued a regulation basically being a "get out of jail for free" rule.

    For now I guess it is safe to assume Apple has nothing to fear as far as Austria is concerned
     
  20. MyopicPaideia macrumors 68000

    MyopicPaideia

    Joined:
    Mar 19, 2011
    Location:
    Trollhättan, Sweden
    #20
    What do you expect “them” to do? The idea is that you have this law to proactively monitor and hold the companies accountable, making them have systems that allow a private citizen to be aware of, gain access to, and have the right to require a company to eliminate any personal data.

    You can’t just say go after the companies that have a breach. That is very reactive. GDPR is meant to be a proactive measure to ensure that companies take responsibility for the data they have, and emphasize that the data they have is it their property.

    The fundamental change here is opt in vs opt out. In order to not be breaking the law, you have to get explicit (active) permission to collect the data in the first place, rather that implicit (passive) permission. You also have to have a system in place to allow access to that data upon request, and are legally require to comply with any directive to remove/eliminate/delete any and all personal data from the owner of that data (i.e. the private citizen).

    The interesting thing about this is that if a company is in compliance with the law, it will be extremely hard to hold them accountable should a breach occur, as now in theory, all the personal data they have has been actively given, and information about how data is stored, secured and used is freely available to those who allowed their data to be collected. It could be argued that in practice, GDPR is more of a corporate CYA measure than a statement of intent in defense of personal privacy.

    People aren’t willing to give up using their favored services & websites, and essentially are very ready to sacrifice privacy for convenience.

    Arguably the only real practical effect of GDPR is that it is much more irritating to browse the web these days in the EU, with auto pop ups about allowing cookies and a “personalized browsing experience.” That a 3 decade old internet business model is still relatively unchanged is our fault as consumers. But at this point “free” cloud services are so embedded in the marketplace that websites and companies are actually requiring opting in as a condition of using their website/service - i.e., we’re going to collect your data whether you like it or not, so unless you allow this, you can’t go further. When confronted with this ultimatum, most consumers just comply rather than take the time to try to find an alternative or do without.
     
  21. fairuz macrumors 68000

    fairuz

    Joined:
    Aug 27, 2017
    Location:
    Silicon Valley
    #21
    So far it's just some random private group making an accusation.
    --- Post Merged, Jan 20, 2019 ---
    Wouldn't make me feel any safer if they were.
     

Share This Page