This is an HTML version of an attachment to the Freedom of Information request 'Tim Cook Meetings'.


Meeting with Tim Cook Apple 
Ref. Ares(2024)665456 - 29/01/2024
26 September 2023 
MEETING WITH TIM COOK 
CEO of Apple 
Scene setter 
Apple has built its reputation on the privacy and security provided by its devices. Nevertheless, 
CNIL issued EUR 8 million fine in 2022 under the ePrivacy rules for not collecting the consent of 
iPhone users before depositing and/or writing identifiers (cookies or similar) used for advertising 
purposes on their terminals. In addition, several  DPC investigations  are still pending  (see 
background). Apple is not certified under the EU-US Data Privacy Framework (it was also not 
certified under the Privacy Shield, although it participated in the Safe Harbour), but uses standard 
contractual clauses for its data transfers from the EU to third countries. You may therefore want to 
address the following  points: 
Data protection in the EU
• Welcome Apple’s commitment to comply with the GDPR, as well as its engagement with
the Irish Data Protection Authority and other EU data protection authorities.
• Since Apple benefits from GDPR One-Stop-Shop mechanism, stress that the fundaments
of this mechanism are sound, but improvements regarding enforcement are necessary to
ensure quicker and well-reasoned decisions.
• Explain that the Commission adopted on 4/7/2023 the proposal for a Regulation on
additional procedural rules relating to GDPR enforcement.
• Stress that we are not reopening the GDPR. The proposal will not affect any substantial
elements of the GDPR, such as role of DPAs as enforcers and the fundamentals of the One-
Stop-Shop mechanism.
• The proposal anticipates the next COM report on the application of GDPR due for 2024.
For this report, we will collect data from stakeholders as we did for the previous one.
International data flows
• Recall the EU’s commitment to facilitate trusted data transfers, as reflected in our work
on adequacy (e.g. ongoing adequacy talks with Brazil and other Latam/Asian countries) and
trade negotiations (where we systematically table language prohibiting data localisation, e.g.
in our free trade agreements concluded with New Zealand and Chile).
• Explain that, following the modernisation of the EU standard contractual clauses, we are
now working with international partners that have developed similar tools (e.g. in Latin
America and Asia) to facilitate the use of model clauses. For example, we developed a Joint
Guide with ASEAN that identifies the convergence between the EU SCCs and the ASEAN
model clauses, with the aim of helping companies comply with both sets of clauses.
• Inform about the recent adoption of the adequacy decision for the EU-US Data Privacy
Framework, which replaces the previous Privacy Shield and addresses the points raised by
the CJEU in the Schrems II judgment. Stress that all the safeguards negotiated with the US
in the area of national security (e.g. the new Executive Order) apply regardless of the
transfer tool used and therefore also facilitate data transfers on the basis of e.g. SCCs.


Meeting with Tim Cook Apple 
26 September 2023 
 
 
BACKGROUND 
Apple and the GDPR 
The main establishment of Apple in  the EU is in Ireland; the competed DPA is the Irish 
Data Protection Commission (DPC). There are 3 open cross-border inquiries into Apple
1) the lawfulness of the processing in the context of behavioural analysis and targeted 
advertising on its platform. Initiated by La Quadrature du Net  as part of GAFAM 
complaints in 2018. 
2) transparency of processing and 
3) right of access (in relation to an access request for customer service related personal 
data) initiated by NOYB. 
In 2022 following DPC’s inquiry Apple reduced the retention of unblurred images of the 
street views from 18 to 12 months for Apple Maps. 
The number of on-going inquiries concerning Apple is lower in comparison with other big 
tech companies. 
Apple and ePrivacy 
In 2022, the CNIL's fined Apple 8 million euros for not collecting the consent of iPhone's 
French users (iOS 14.6 version) before depositing and/or writing identifiers  (cookies or 
similar) used for advertising purposes on their terminals. 
In 2020 NOYB submitted two complaints against Apple’s tracking code “IDFA” with the 
Data Protection Authority of Berlin and the Spanish data protection authority in November 
2020 on the basis of e-Privacy Directive (Article 5(3)). 
•  Spanish DPA  inquiry is closed.  The Spanish DPA  declared itself not competent in 
2021; In 2023 it was confirmed by the appeal court in Spain. 
•  The complaint in front of the Berlin DPA is pending. 
Apple’s views on the GDPR 
Apple's CEO Tim Cook has singled previously out the GDPR as an example of what the 
US and other countries should be doing. " We should celebrate the transformative work of 
the European institutions tasked with the successful implementation of the GDPR. It is time 
for the rest of the world, including my home country, to follow your lead" said Cook in a 
speech about security in 2018. 
Apple has built its reputation on the privacy and security provided by its devices. The 
iPhone encryption capabilities caused Apple’s clash with the US law enforcement authorities 
several times. 
In the beginning of 2021, in his opening remarks at the annual European Computers, Privacy 
& Data Protection conference in Brussels, Apple CEO Tim Cook criticized companies that 
benefit from gathering customer data. In his speech, Cook outlined also Apple 
technologies and efforts to curtail tracking and unwanted snooping.  
Commission’s proposal on GDPR procedural rules: 
On 4 July 2023, COM adopted the proposal for a regulation laying down additional 
procedural rules relating to the enforcement of the GDPR. The proposal follows up on issues 

 

Meeting with Tim Cook Apple 
26 September 2023 
 
 
identified in COM’s 2020 report on the GDPR and the EP’s resolution on COM’s report. It 
also responds to the “wish-list” the EDPB sent to COM in October 2022, identifying 
procedural issues that should be harmonised at EU level to streamline the work of the data 
protection authorities (DPAs). 
The proposal supplements the GDPR in a targeted way by specifying procedural rules to be 
followed by DPAs when cooperating in cross-border enforcement. The proposal does not 
alter the roles of the actors in the cross-border enforcement procedure and fully supports the 
One-Stop-Shop mechanism. 
The proposal does not affect any substantial elements of the GDPR, such as the rights of data 
subjects, the obligations of data controllers and processors, or the lawful grounds for 
processing personal data as set by the GDPR.  
COM hopes to progress the proposal as quickly as possible towards adoption in the EP’s 
current mandate. Discussion on the COM proposal is on-going in Council (Data Protection 
Working Party). 
EU-ASEAN Guide on model clauses 
Both the EU (the Standard Contractual Clauses, SCCs) and ASEAN (the Model Contractual 
Clauses, MCCs) have independently developed model data protection contracts that can be 
used by companies for their international data transfers. Since these two sets of clauses share 
a number of commonalities, we have been working with the data protection authority of 
Singapore (PDPC) on a Joint EU/ASEAN Guide, with the aim of further facilitating the use 
of these clauses and showcasing their commonalities.   
The objective of the Guide is to help companies operating across the ASEAN and EU regions 
understand the similarities and differences between the respective contractual clauses. This 
will allow them to adapt their processing operations to the required safeguards and to assess 
which additional safeguards they need to ensure when switching between the two sets of 
clauses, thereby facilitating compliance with ASEAN and EU data protection laws. 
To this end, the Guide will consist of two parts:  
-  Part 1 (on which the work is already completed), which identifies the commonalities 
and differences between the EU and ASEAN model contractual clauses for 
international data transfers  (https://commission.europa.eu/system/files/2023-
05/%28Final%29%20Joint_Guide_to_ASEAN_MCC_and_EU_SCC.pdf).    
-  Part 2 (on which we are currently working), which will identify best practices on the 
implementation and use of both sets of clauses. This part will be prepared on the basis 
of input received from stakeholders on Part 1 of the Guide.