Apple’s App Tracking Transparency Framework: Enhancing Privacy or Impeding Competition?
Apple is a Big Tech company which has many things. It has world-leading product lines in both hardware and software. It has millions of customers worldwide. It has a market capitalisation surpassing $2 trillion. It also – uniquely amongst Big Tech companies – has a long-standing reputation as being ‘privacy friendly’.
Apple’s Privacy Friendly Reputation: Two Examples
Two examples can be given to illustrate Apple’s privacy friendly reputation. The first is the Apple v FBI case, which arose from a terrorist attack in San Bernadino, California in 2015. The FBI believed that one of the attacker’s iPhones contained information about the attack which could support its investigation. However, it was unable to unlock the iPhone, so sought Apple’s help. To the surprise of many, Apple refused: citing concerns that, if it built a ‘backdoor’ to unlock one iPhone, it would jeopardise the privacy and security of iPhone users worldwide. In the end, the refusal became moot, because the FBI succeeded in unlocking the iPhone. However, in refusing to help, Apple sent a message, which has since become a well-known brand image: Apple cares about privacy.
A second, more recent, example is Apple’s App Tracking Transparency (ATT) Framework, which was launched in April 2021. In essence, this Framework requires apps on Apple devices to send a ‘permission prompt’, to obtain explicit consent from users, before they can engage in third-party tracking (i.e. before they can track users’ activity across other companies’ apps and websites). The emphasis on third-party tracking is significant: it means that the Framework does not apply if a company has multiple apps of its own, and wants to track users across these apps for its own purposes. Meta, for example, can still track users across Facebook, Instagram and WhatsApp, without the requirement to send a permission prompt, because these are all Meta’s (i.e. non-third-party) apps. In contrast, if a company wants to track users’ activities across its own and another company’s (i.e. a third party) app, then it must send the permission prompt.
The effects of the Framework have been significant: in the first three weeks after implementation, fewer than 15% of Apple users in the US consented to third-party tracking when prompted. Overall, the Framework has been celebrated as a win for privacy, on the basis that it has given Apple users a greater degree of choice and control with respect to their data.
Reputation or Reality?
Examples such as Apple v FBI and the ATT Framework have had considerable success in building and maintaining Apple’s reputation as a privacy friendly company. This is reflected in the fact that, earlier this year, the International Association of Privacy Professionals (IAPP) invited Apple’s CEO Tim Cook to be a keynote speaker at the Global Privacy Summit.
However, despite these examples, and the IAPP’s support, some people continue to dispute the claim that Apple is a privacy friendly company: at least insofar as this claim is made without caveats.
Objection One: Profit Over Principle
For example, Klaus Wiedemann has suggested that ‘Apple’s privacy friendliness only goes as far as is lucrative’. To illustrate this point, he notes that, when asked in 2018 to move the cryptographic keys required to unlock Chinese users’ iCloud accounts from the US to China, Apple did so without protest, even though this made it easier for the Chinese authorities to access the data within users’ accounts. As such, when no profits were at stake, and the story was not in the headlines, Apple appeared to be happy to take steps which were detrimental to users’ privacy.
A potential counter-point is that, regardless of whether Wiedemann’s claim is sound, it arguably should not detract from the significance of the privacy friendly practices that Apple has implemented to date, nor from the fact that these practices have helped to put privacy on the agenda for other technology companies, such as Samsung.
Objection Two: Impeding Competition
A different objection in the literature is that some of Apple’s privacy practices impede competition. This objection has gained prominence recently, as various European competition regulators have launched investigations to determine whether Apple’s ATT Framework complies with competition law. This includes France’s Autorité de la concurrence, Poland’s Urząd Ochrony Konkurencji i Konsumentów and, most recently, Germany’s Bundeskartellamt, all of which have expressed concern that the Framework may ‘self-preference’ Apple.
Specifically, in the words of the President of the Polish competition regulator: ‘In practice, [the ATT Framework] means that Apple has significantly reduced the ability of third-party apps to obtain personal data on iOS in order to send personalised ads […] [D]oubts have arisen as to whether the rules established by Apple were not designed to promote their own advertising service, Apple Search Ads, which could be a violation of competition principles. […] During the course of our investigation, we want to examine whether Apple’s actions may be aimed at eliminating competitors in the market for personalised advertising services, the objective being to better sell their own service.’
If these concerns prove to be well-founded, then the Framework may infringe Article 102 of the Treaty on Functioning of the European Union (TFEU). This is a key provision in EU competition law, which prohibits companies with a dominant position on a market from abusing this position: for example, by adopting tactics to exclude their competitors.
It is important to emphasise that the investigations are still ongoing. As such, some of the key factual details have not yet been confirmed, and no final conclusions about the compatibility of the ATT Framework with competition law have yet been reached. However, either way, the investigations have the potential to complicate Apple’s hitherto popular brand image as privacy friendly and, more generally, to provide an interesting contribution to the complex discussion on the interaction between privacy and competition law.