Austrian Privacy Watchdog NOYB Accuses Apple and Others of Failing to Comply With GDPR in Europe

I was hoping they'd be lax on GDPR. Otherwise they can always find something a company's not doing perfectly. There's already the data portal; idk what else these people want.

They are lax on GDPR actually. In particular, die Austrian government issued a regulation basically being a "get out of jail for free" rule.

For now I guess it is safe to assume Apple has nothing to fear as far as Austria is concerned

Yeah, I think they should go after those who just stole nearly 800 million e-mail addresses instead of worrying about this petty crap.

I did the data portal thing, and got a copy of all my data, and I don't know what they think is missing; what i received was pretty thorough.

Yeah, I think they should go after those who just stole nearly 800 million e-mail addresses instead of worrying about this petty crap.

That's not a new breach, it's just a collection of previous leaks.

Still it’s much more serious than this and they have several other batches. It’s unacceptable that no one is held to account for these breaches.

It's rather short-term to try and punish those who lost data. It won't prevent any further breaches, because every company thinks they are "secure" and it won't happen to them.

It's better to prevent companies from needlessly collecting data in the first place, since those are just breaches waiting to happen. At the very least we should know what data we're putting at risk by allowing those companies to collect it.

To evaluate this report, we need details. What exactly did Apple (and others) omit when responding to these private data requests?

I'm guessing that this is less about resistance to the spirit of the law and more about agreeing or disagreeing on what constitutes private data, fixing oversights, and working out any implementation bugs.

No need to guess. Just click on the NOYB link in the lead post, and then on the pdf link to the actual complaint.

In it, they specifically lay out what GDPR data access requirements each company is alleged to have failed to comply with. They list about nine for Apple Music, in a detailed eight page legal complaint.

Thanks.

Here are their complaints about Apple Music (https://noyb.eu/wp-content/uploads/2019/01/AppleMusic_Complaint_geschwärzt.pdf), which I summarize with slight editing for brevity and grammar:

In the downloaded personal information, Apple didn't include the following:
[LIST=1]
* The user's "cookies, online identifiers, tracking technologies, beacons, IP addresses, pixels tags or device identifiers," which they claim is part of a user's personal information.
* The "exact purposes for which personal data is undergoing processing."
* Identification of the "strategic partners that work with Apple to provide products and services."
* "Justification for retention" of personal information, to comply with the "principle of storage limitation."
* "The envisaged retention period of each category of personal data."
* "Information about the existence of a right to request rectification or erasure of personal data, restriction of processing of personal data, or to object to such processing," or to "lodge a complaint with a supervisory authority."
* "The sources of the personal data," including from third parties.
* "The countries to which personal data is transferred and the safeguards for those countries."
* Usable data formats. They claim the raw data (in CSV and JSON formats) was "incomprehensible" and that Apple didn't provide software to read the files and make them understandable.

They end by claiming that Apple could be subject to a maximum fine of about € 8.02 billion for these violations.

Apple's lawyers could quibble about some or all of these. For example, there's information about some of these topics on Apple's Privacy Policy ('https://www.apple.com/legal/privacy/en-ww/') page. On your privacy page ('https://privacy.apple.com') it's made quite clear that you can correct or delete your data. And TextEdit, Numbers, and Xcode can open the CSV and JSON files although they don't help you interpret the content.

I was hoping they'd be lax on GDPR. Otherwise they can always find something a company's not doing perfectly. There's already the data portal; idk what else these people want.

By design, of course. Never underestimate the zeal of a regulator. Cost or practicality is irrelevant. They are of a different mindset to ordinary people. And not in a good way. If they get a set on you, they will Find. A. Way. And the Euros are best at that.

Yeah, I think they should go after those who just stole nearly 800 million e-mail addresses instead of worrying about this petty crap.

One of the reasons for GDPR is that companies with data leaks can now be held accountable.

It's a bit ironic that this story appears now, juxtaposed with Apple appealing for more privacy regulation in the U.S.?