Apple Inc. may face greater scrutiny in the European Union than the U.S. as regulators investigate possible data-privacy lapses betraying the location of iPhone and iPad users.
The Apple probes in Europe echo similar inquiries that have dogged Google Inc. over wireless Internet data collected by its Street View service, said Nick Graham, head of the London Internet and data protection group of law firm SNR Denton.
“Issues that may not look terribly serious in the U.S. can have much greater significance and seriousness here in Europe, as Google has found out in connection with the WiFi,” said Graham. “There is this tension between the U.S. rules which are much narrower and the EU rules which are much broader.”
Regulators in Germany, France and Italy said last week they are checking whether Apple’s iPhone and iPad products violate privacy rules by tracking, storing and sharing data about the locations of users. Irish officials are also examining “a number of complaints about this issue,” Diarmuid Hallinan, a spokesman for the country’s data protection commissioner, said in an e-mail today.
U.S. lawmakers this week sent letters to six companies, including Apple and Google to determine how location data is stored on mobile device systems and how it’s transmitted.
The investigations followed a report by O’Reilly Radar, a website owned by Sebastopol, California-based publisher O’Reilly Media. It said Apple devices log latitude-longitude coordinates along with the time of visits to locations across the globe.
Apple, based in Cupertino, California, said yesterday it isn’t tracking the users’ location and plans to reduce the amount of data the iPhone stores.
“Apple is not tracking the location of your iPhone,” the company said in a statement. “Apple has never done so and has no plans to ever do so.”
It said the iPhone saves information on WiFi hotspots and cellular towers near a handset’s current location, which helps the phone determine its location when needed by the user.
Data protection has been a thorn in the side of U.S. technology companies in Europe. While Google has been targeted by regulators across the EU for its Street View program, the U.S. Federal Trade Commission dropped a probe last October after the world’s biggest Internet search company said it would improve privacy safeguards.
“Sometimes the regulators in Europe will go for big brands like Google, and Apple is a big brand,” said Graham. “It will be perceived as a brand that should be demonstrating greater privacy compliance because of its market position.”
Google was fined 100,000 euros ($147,000) in France last month for violating the country’s privacy rules. Dutch watchdogs on April 19 gave the company three months to inform users about private data collected via WiFi by its Street View cars.
Apple has “seen what happened with Street View, they’re not just going to go ahead and ask afterwards whether it was OK,” said Carsten Casper, research director at Gartner Research in Berlin. The more Apple and Google “mature and the bigger and commercially successful they become, the more they’re getting scrutinized.”
Any tracking technology has to be “proportionate” and allow “users to give consent,” said Matthew Newman, a spokesman for EU Justice Commissioner Viviane Reding. The issue will be tackled in proposals for an overhaul of the EU’s 16-year-old data-protection rules later this year, he said.
The U.K. Information Commissioner’s Office said while it’s aware “of the existing concerns” it won’t contact Apple about this issue.
Users should be informed if their handsets collect data on their location “for more than just a fleeting moment,” Lysette Rutgers, a spokeswoman for the Dutch data protection agency, said in an e-mail.
Operating-system developers “must not assume that the user implicitly agrees with the storage of his data on the device,” Rutgers said, declining to comment on specific investigations.
Google, based in Mountain View, California, said all location-sharing on phones based on its Android software requires an opt-in from the user.
“We provide users with notice and control over the collection, sharing and use of location in order to provide a better mobile experience on Android devices,” said Google spokesman Ollie Rickman in an e-mail.
Even where a U.S. company says data is anonymous, it may still breach EU rules, depending on how the scope of personal data is defined, Graham said.
“The most important thing may be to prove that the data is being sent anonymously,” said Jeff Fidacaro, an analyst at Susquehanna Financial Group in New York. “It’s going to be interesting to see how this plays out.”
Separately, the U.K. and Irish information watchdogs said they will investigate the hacking of Sony Corp.’s PlayStation Network after the company warned 77 million customers may have had their personal data stolen.
The Irish Office of the Data Protection Commissioner said it asked Sony for a report on the breaches. The U.K. Information Commissioner’s Office will make additional enquiries before deciding whether to take further action, the regulator said yesterday.
Austrian regulators will “most likely contact Sony regarding this to seek clarification,” Eva Souhrada, executive director of the country’s data protection commission, said in an e-mail today.