Apple’s CEO Tim Cook has urged Europe to step up privacy enforcement in a keynote speech to the CPDP conference today — echoing many of the points he made in Brussels in person two years ago when he hit out at the ‘data industrial complex’ underpinning the adtech industry’s mass surveillance of Internet users.
Reforming current-gen adtech is now a humanitarian imperative, he argued in a speech that took a bunch of thinly-veiled swipes at Facebook.
“As I said in Brussels two years ago, it is certainly time, not only for a comprehensive privacy law here in the United States, but also for worldwide laws and new international agreements that enshrine the principles of data minimization, user knowledge, user access and data security across the globe,” said Cook.
“Together, we must send a universal, humanistic response to those who claim a right to users’ private information about what should not and will not be tolerated,” he added.
The message comes at a critical time for Apple as it prepares to flip a switch that will, for the first time, require developers to gain opt-in user consent to tracking.
Earlier today Apple confirmed it would be enabling the App Tracking Transparency (ATT) feature in the next beta release of iOS 14, which it said would roll out in early spring.
The tech giant had intended to debut the feature last year but delayed to give developers more time to adapt.
Adtech giant Facebook has also been aggressively briefing against the shift, warning of a major impact on publishers who use its ad network once Apple gives its users the ability to refuse third party tracking.
Reporting its Q4 earnings yesterday, Facebook also sounded a warning over “more significant advertising headwinds” impacting its own bottom line this year — naming Apple’s ATT as a risk (as well as what it couched as “the evolving regulatory landscape”).
In the speech to a data protection and privacy conference which is usually held in Brussels (but has been streamed online because of the pandemic), Cook made an aggressive defence of ATT and Apple’s pro-privacy stance in general, saying the forthcoming tracking opt-in is about “returning control to users” and linking adtech-fuelled surveilled of Internet users to a range of harms, including the spread of conspiracy theories, extremism and real-world violence.
“Users have asked for this feature for a long time,” he said of ATT. “We have worked closely with developers to give them the time and resources to implement it and we’re passionate about it because we think it has great potential to make things better for everybody.”
The move has attracted a competition challenge in France where four online advertising lobbies filed an antitrust complaint last October — arguing that Apple requiring developers ask app users for permission to track them is an abuse of market power by Apple. (A similar complaint has been lodged in the UK over Google’s move to depreciated third party tracking cookies in Chrome — and there the regulator has opened an investigation.)
The Information also reported today that Facebook is preparing to lodge an antitrust lawsuit against Apple — so the legal stakes are rising. (Though the social media giant is itself being sued by the FTC which alleges it has maintained a social networking monopoly via years of anti-competitive conduct… )
In the speech Cook highlighted another recent pro-privacy move made by Apple to require iOS developers to display “privacy nutrition” labels within the App Store — providing users with an overview of their data collection practices. Both the labels and the incoming ATT apply in the case of Apple’s own apps (not just third parties), as we reported earlier.
Cook said these moves align with Apple’s overarching philosophy: To make technology that “serves people and has their well-being in mind” — contrasting its approach with a rapacious ‘data industrial complex’ that wants to aggregate information about everything people do online to use against them, as a tool of mass manipulation.
“It seems no piece of information is too private or personal to be surveilled, monetized and aggregated into a 360 degree view of your life,” Cook warned. “The end result of all of this is that you are no longer the customer; you are the product.
“When ATT is in full effect users will have a say over this kind of tracking. Some may well think that sharing this degree of information is worth it for more targeted ads. Many others, I suspect, will not. Just as most appreciated it when we built this similar functionality into Safari limiting web trackers several years ago,” he went on, adding that: “We see developing these kinds of privacy-centric features and innovations as a core responsibility of our work. We always have, we always will.”
Apple’s CEO pointed out that advertising has flourished in the past without the need for privacy-hostile mass surveillance, arguing: “Technology does not need vast troves of personal data stitched together across dozens of websites and apps in order to succeed. Advertising existed and thrived for decades without it. And we’re here today because the path of least resistance is rarely the path of wisdom.”
He also made some veiled sideswipes at Facebook — avoiding literally naming the adtech giant but hitting out at the notion of a business that’s built on “surveilling users”, on “data exploitation” and on “choices that are no choices at all”.
Such an entity “does not deserve our praise, it deserves reform”, he went on, having earlier heaped praise on Europe’s General Data Protection Regulation (GDPR) for its role in furthering privacy rights — telling conference delegates that enforcement “must continue”. (The GDPR’s weak spot to date has been exactly that; but 2.5 years in there are signs the regime is getting into a groove.)
In further sideswipes at Facebook, Cook attacked the role of data-gobbling, engagement-obsessed adtech in fuelling disinformation and conspiracy theories — arguing that the consequences of such an approach are simply too high for democratic societies to accept.
“We should not look away from the bigger picture,” he argued. “At a moment of rampant disinformation and conspiracy theories juiced by algorithms we can no longer turn a blind eye to a theory of technology that says all engagement is good engagement, the longer the better. And all with the goal of collecting as much data as possible.
“Too many are still asking the question how much can we get away with? When they need to be asking what are the consequences? What are the consequences of prioritizing conspiracy theories and violent incitement simply because of the high rates of engagement? What are the consequences of not just tolerating but rewarding content that undermines public trust in lifesaving vaccinations? What are consequences of seeing thousands of users join extremist groups and then perpetuating an algorithm that recommends even more,” he went on — sketching a number of scenarios of which Facebook’s business stands directly accused.
“It is long past time to stop pretending that this approach doesn’t come with a cost. Of polarization. Of lost trust. And — yes — of violence. A social dilemma cannot be allowed to become a social catastrophe,” he added, rebranding ‘The Social Network’ at a stroke.
Apple has reason to appeal to a European audience of data protection experts to further its fight with adtech objectors to its ATT, as EU regulators have the power to take enforcement decisions that would align with and support its approach. Although they have been shy to do so so far.
Facebook’s lead data protection supervisor in Europe, Ireland’s Data Protection Commission (DPC), has a backlog of investigations into a number of aspects of its business — including its use of so-called ‘forced consent’ (as users are not given any choice over being tracked for ad targeting if they wish to use its services).
That lack of choice stands in stark contrast to the change Apple is driving on its App Store, where all entities will be required to ask users if they want to be tracked. So Apple’s move aligns with the principles of European data protection law (which, for example, requires that consent for processing people’s data be freely given in order to be legally valid).
Equally, Facebook’s continued refusal to give users a choice stands in direct conflict with EU law and risks GDPR enforcement. (The kind Cook was urging in his speech.)
2021 looks like it could be a critical year on that front. A long running DPC investigation into the transparency of data-sharing between WhatsApp and Facebook is headed for enforcement this year — after Ireland sent a draft decision to the other EU data protection agencies at the back end of last year.
Last week Politico reported WhatsApp could be on the hook for a fine of between €30M and €50M in that single case. More pertinently for the tech giant — which paid a $5BN fine to the FTC in 2019 to settle charges related to privacy failings (but was not required to make any material changes to how it operates its ad business) — WhatsApp could be ordered to change how it handles user data.
A regulatory order to stop processing certain types of user data — or mandating it ask users for consent before it can do so — could clearly have a far greater impact on Facebook’s business empire.
The tech giant is also facing a final verdict later this year on whether it can continue to legally transfer European users’ data out of the bloc.
If Facebook is ordered to suspend such data flows that would mean massive disruption to a sizeable chunk of its business (in 2019 it reported 286M DAUs in the region in Q1).
So — in short — the regulatory conditions around Facebook’s business are certainly ‘evolving’.
The data industrial complex’s fight back against the looming privacy enforcement at Apple’s platform level involves ploughing legal resource into trying to claim such moves are anti-competitive. However EU lawmakers seem alive to this self-interested push to appropriate ‘antitrust’ as a tool to stymie privacy enforcement.
(And it’s notable that Cook referred to privacy “innovation” in the speech. Including this ask: “Will the future belong to the innovations that make our lives better, more fulfilled and more human?” — which is really the key question in the privacy vs competition regulation ‘debate’.)
Last month Commission EVP and competition chief, Margrethe Vestager told the OECD Global Competition Forum that antitrust enforcers should be “vigilant so that privacy is not used as a shield against competition”. However her remarks had a sting in the tail for the data industrial complex — as she expressed support for a ‘superprofiling’ case against Facebook in Germany.
That case (which is continuing to be litigated by the German FCO) combines privacy and competition in new and interesting ways. If the regulator prevails it could result in a structural separation of Facebook’s social empire at the data level — in a sort of regulatory equivalent of moving fast and breaking things.
So it’s notable Vestager dubbed that piece of regulatory innovation “inspiring and interesting”. Which sounds more of a vote of confidence than condemnation from Europe’s digital policy and competition chief.