Apple accused of potential improper data-sharing.
Earlier this month American multinational technology company Apple came under scrutiny for its data-sharing practice of sending IP addresses from users of its Safari browser to Google and Chinese-based tech company Tencent.
Apple has since defended this practice, noting that it is a Safari Fraudulent Warning security feature aimed at flagging websites known to be malicious. In an interview with iMore, Apple reportedly noted that “When the feature is enabled, Safari checks the website URL against lists of known websites and displays a warning if the URL the user is visiting is suspected of fraudulent conduct like phishing. To accomplish this task, Safari receives a list of websites known to be malicious from Google, and for devices with their region code set to mainland China, it receives a list from Tencent. The actual URL of a website you visit is never sharedwith a safe browsing provider and the feature can be turned off.”
It is of note that Apple’s Fraudulent Website Warning setting is automatically set to on. As such users would have to delve into their settings and toggle this off if they do not want to have their IP address forwarded to Google and Tencent when using the Safari browser. It is also reported that toggling this setting to “off” would potentially render browsing sessions less secure.
Potential GDPR and CCPA implications?
Considering that IP addresses can reveal user locations and can also be used to profile users,they are deemed as online identifiers, thus they are personal data as covered by Recital 30 GDPR, which means that this feature would be subject to GDPR compliance.
The recent Cookies Consent ruling by the CJEU, explored in one of our recent blog posts could also potentially affect the way Apple handles its default permission settings.
Moreover, with the California Consumer Privacy Act Regulations (CCPA Regulations)—schedule to take effect on January 1, 2020– introducing consumer rights related third party sharing for companies doing business with California residents; it is likely that Apple would also have to review this practice to ensure CCPA compliance.
This practice was explained in the privacy policy within the section “About Safari & Privacy” and it was publicly accessible to anyone who opened the Settings app. However, one should note that even though the privacy policy shall contain every personal data processing carried out by the controller for the sake of transparency and in line with articles 13 and 14 GDPR, it does not mean that any data processing added to the privacy policy will automatically become lawful, for which a valid legal basis for the processing (contract, consent or legitimate interest among others) is required.
Does your company website facilitate data sharing to third parties? Aphaia’s GDPR and CCPA adaptation services, including our data protection impact assessments and Data Protection Officer outsourcing will help you ensure compliance with the soon to be effected CCPA Regulations and GDPR.
Reference: iMore