Meeting with Tim Cook Apple
Ref. Ares(2024)665456 - 29/01/2024
26 September 2023
MEETING WITH TIM COOK
CEO of Apple
Scene setter
Apple has built its
reputation on the
privacy and security provided by its devices. Nevertheless,
CNIL issued EUR 8 million fine in 2022 under the ePrivacy rules for not collecting the consent of
iPhone users before depositing and/or writing identifiers (cookies or similar) used for advertising
purposes on their terminals. In addition, several
DPC investigations are still pending (see
background). Apple is
not certified under the EU-US Data Privacy Framework (it was also not
certified under the Privacy Shield, although it participated in the Safe Harbour), but uses
standard
contractual clauses for its data transfers from the EU to third countries. You may therefore want to
address the following points:
Data protection in the EU:
• Welcome Apple’s commitment to comply with the GDPR, as well as its engagement with
the Irish Data Protection Authority and other EU data protection authorities.
• Since
Apple benefits from
GDPR One-Stop-Shop mechanism, stress that the fundaments
of this mechanism are sound, but
improvements regarding enforcement are necessary to
ensure quicker and well-reasoned decisions.
• Explain that the Commission adopted on 4/7/2023
the proposal for a Regulation on
additional procedural rules relating to GDPR enforcement.
• Stress that we are
not reopening the GDPR. The proposal will not affect any substantial
elements of the GDPR, such as role of DPAs as enforcers and the fundamentals of the One-
Stop-Shop mechanism.
• The proposal anticipates
the next COM report on the application of GDPR due for 2024.
For this report, we will collect data from stakeholders as we did for the previous one.
International data flows:
• Recall the EU’s
commitment to facilitate trusted data transfers, as reflected in our work
on adequacy (e.g. ongoing adequacy talks with Brazil and other Latam/Asian countries) and
trade negotiations (where we systematically table language prohibiting data localisation, e.g.
in our free trade agreements concluded with New Zealand and Chile).
• Explain that, following the modernisation of the EU
standard contractual clauses, we are
now working with international partners that have developed similar tools (e.g. in Latin
America and Asia) to facilitate the use of model clauses. For example, we developed a Joint
Guide with ASEAN that identifies the convergence between the EU SCCs and the ASEAN
model clauses, with the aim of helping companies comply with both sets of clauses.
• Inform about the recent adoption of the adequacy decision for the
EU-US Data Privacy
Framework, which replaces the previous Privacy Shield and addresses the points raised by
the CJEU in the Schrems II judgment. Stress that all the safeguards negotiated with the US
in the area of national security (e.g. the new Executive Order) apply regardless of the
transfer tool used and therefore also facilitate data transfers on the basis of e.g. SCCs.
1
Meeting with Tim Cook Apple
26 September 2023
BACKGROUND
Apple and the GDPR
The main establishment of Apple in the EU is in Ireland; the
competed DPA is the Irish
Data Protection Commission (
DPC). There are
3 open cross-border inquiries into Apple:
1) the
lawfulness of the processing in the context of behavioural analysis and targeted
advertising on its platform. Initiated by La Quadrature du Net as part of GAFAM
complaints in 2018.
2)
transparency of processing and
3)
right of access (in relation to an access request for customer service related personal
data) initiated by NOYB.
In 2022 following DPC’s inquiry
Apple reduced the retention of unblurred images of the
street views from 18 to 12 months for
Apple Maps. The number of on-going inquiries concerning Apple is lower in comparison with other big
tech companies.
Apple and ePrivacy
In 2022, the
CNIL's fined Apple
8 million euros for not collecting the consent of iPhone's
French users (iOS 14.6 version) before depositing and/or writing identifiers (cookies or
similar) used for
advertising purposes on their terminals.
In 2020 NOYB submitted two
complaints against Apple’s tracking code “IDFA” with the
Data Protection Authority of Berlin and the Spanish data protection authority in November
2020 on the basis of e-Privacy Directive (Article 5(3)).
• Spanish DPA inquiry is
closed. The Spanish DPA declared itself not competent in
2021; In 2023 it was confirmed by the appeal court in Spain.
• The complaint in front of the Berlin DPA is
pending.
Apple’s views on the GDPR
Apple's CEO Tim Cook has singled previously out
the GDPR as an example of what the
US and other countries should be doing. " We should celebrate the transformative work of
the European institutions tasked with the successful implementation of the GDPR. It is time
for the rest of the world, including my home country, to follow your lead" said Cook in a
speech about security in 2018.
Apple has built its
reputation on the privacy and security provided by its devices. The
iPhone encryption capabilities caused Apple’s clash with the US law enforcement authorities
several times.
In the beginning of 2021, in his opening remarks at the annual European Computers, Privacy
& Data Protection conference in Brussels, Apple CEO
Tim Cook criticized companies that
benefit from gathering customer data. In his speech, Cook outlined also Apple
technologies and efforts to curtail tracking and unwanted snooping.
Commission’s proposal on GDPR procedural rules: On 4 July 2023, COM adopted the proposal for a regulation laying down additional
procedural rules relating to the enforcement of the GDPR. The proposal follows up on issues
2
Meeting with Tim Cook Apple
26 September 2023
identified in COM’s 2020 report on the GDPR and the EP’s resolution on COM’s report. It
also responds to the “wish-list” the EDPB sent to COM in October 2022, identifying
procedural issues that should be harmonised at EU level to streamline the work of the data
protection authorities (DPAs).
The proposal supplements the GDPR in a targeted way by specifying procedural rules to be
followed by DPAs when cooperating in cross-border enforcement. The proposal does not
alter the roles of the actors in the cross-border enforcement procedure and fully supports the
One-Stop-Shop mechanism.
The proposal does not affect any substantial elements of the GDPR, such as the rights of data
subjects, the obligations of data controllers and processors, or the lawful grounds for
processing personal data as set by the GDPR.
COM hopes to progress the proposal as quickly as possible towards adoption in the EP’s
current mandate. Discussion on the COM proposal is on-going in Council (Data Protection
Working Party).
EU-ASEAN Guide on model clauses
Both the EU (the Standard Contractual Clauses, SCCs) and ASEAN (the Model Contractual
Clauses, MCCs) have independently developed model data protection contracts that can be
used by companies for their international data transfers. Since these two sets of clauses share
a number of commonalities, we have been working with the data protection authority of
Singapore (PDPC) on a Joint EU/ASEAN Guide, with the aim of further facilitating the use
of these clauses and showcasing their commonalities.
The objective of the Guide is to help companies operating across the ASEAN and EU regions
understand the similarities and differences between the respective contractual clauses. This
will allow them to adapt their processing operations to the required safeguards and to assess
which additional safeguards they need to ensure when switching between the two sets of
clauses, thereby facilitating compliance with ASEAN and EU data protection laws.
To this end, the Guide will consist of two parts:
- Part 1 (on which the work is already completed), which identifies the commonalities
and differences between the EU and ASEAN model contractual clauses for
international data transfers (https://commission.europa.eu/system/files/2023-
05/%28Final%29%20Joint_Guide_to_ASEAN_MCC_and_EU_SCC.pdf).
- Part 2 (on which we are currently working), which will identify best practices on the
implementation and use of both sets of clauses. This part will be prepared on the basis
of input received from stakeholders on Part 1 of the Guide.
3