Apple Investigated by European Privacy Authorities for Tracking Bug

By Dr. Sascha Pres and Dr. Tobias Bosch

Government authorities in France, Italy and Germany are scrutinizing Apple after a report indicated that Apple iPhone and iPad devices are tracking and storing geolocation information and data regarding the time of visits of end users. The devices gathered the information through the use of Wi-Fi hotspots and cell towers around the end users’ current location and then generated an unencrypted file named “consolidated.db” that contained all the information on the device.

In reaction to this report, Apple released a Q&A addressing these issues. According to the Q&A, geolocation data from Wi-Fi hotspots and cell towers was collected due to a bug in its operating software iOS 4. Apple fixed the tracking bug through the latest iOS 4.3.3 update released on May 4, 2011. The update reduces the size of the location database cache and will now store end users’ location data for approximately a week instead of the year’s worth of data stored prior to the update. The location database will no longer be stored on iTunes and the database will be fully deleted when the end user turns off the device’s location services. 

The update is no guarantee that Apple will escape the scrutiny of European privacy authorities. The European Union’s Article 29 Data Protection Working Party recently announced that it has “taken note” of the Apple bug and members may launch investigations in their respective countries. Already the Italian Data Protection Authority (Garante per la protezione dei dati personali) has expanded its open investigation into the processing of personal data by mobile applications, while French privacy regulator CNIL published a set of best practices that they expect Smartphone operators and providers of geolocation services to follow.

Apple has also come under fire in Germany, where the Data Protection Authority of the German state of Bavaria (the governmental authority for data protection regulation of Apple Germany) opened a preliminary investigation to examine whether Apple has violated the strict German privacy rules as a result of the tracking. The agency will also consider if any legal or regulatory remedies or actions will need to be taken or if any administrative fines shall be imposed against Apple, which could lead to an amount of administrative fines up to EUR 300.000. In their investigation, the Bavarian Data Protection Authority has asked Apple Germany to answer several questions, in particular to explain whether the location data are being or has been saved, who has access to this data, what the data is being used for, and why iPhone and iPad end users have not been aware of such data recording.

The end user license agreement for Apple’s iOS 4, however, to which each iOS 4 user must agree, provides for the end user’s prior consent to the collection of location-based data. Therefore, it is unclear whether the Data Protection Authority could impose any fines or similar penalties against Apple Germany.

Copyright © 2016, K&L Gates LLP. All Rights Reserved.