Resources

Inquiry into Apple Distribution International Limited - March 2024

Date of Decision: 7 March 2024

On 7 March 2024, following an inquiry in relation to a complaint received against Apple Distribution International Limited (Apple), the Data Protection Commission (DPC) adopted a decision.

The DPC commenced this inquiry on 2 November 2022 on foot of a complaint that Apple did not give effect to the Complainant’s rights and did not properly comply with its obligations under the GDPR. The Complainant contended that Apple failed to properly comply with an erasure request he submitted and had unlawfully retained certain personal data, in particular his email address.

The Complainant had made an erasure request to Apple in respect of his Apple ID on 3 March 2019. Apple confirmed to the Complainant on the same date that it was handling the erasure request to delete his Apple ID. This confirmation set out that, when the account was deleted, the data stored with Apple would also be permanently deleted. The Complainant was not informed by Apple at the time the erasure request was processed that it had retained a hashed value of his email address.

Apple submitted that it had retained a hashed value of the Complainant’s email address on the basis that the processing was necessary for the purposes of its legitimate interests, including in order to be able to demonstrate compliance with its security obligations under Article 32 of the GDPR; to prevent the recycling of namespaces by users; to protect its users against fraud and security breaches by third parties; and, to demonstrate compliance with a user’s request to delete their Apple ID. Apple stated that longer period of retention are subject to periodic reviews, and that periodic reviews are carried out of its retention practices. Apple informed the DPC it had convened with its security and engineering teams to review the period for deletion of the hashed email addresses at some fixed period of time and informed the DPC about a project which it had commenced.

The scope of the inquiry concerned an examination and assessment of the following:

  • Whether Apple had a lawful basis for retaining a hashed value of the Complainant’s email address on foot of processing an erasure request pursuant to Article 17 of the GDPR;
  • The period for which Apple intends to retain the hashed value of the Complainant’s email address;
  • Whether Apple met the requirements of Articles 12(1) and 17(1) of the GDPR with regard to the processing of the Complainant’s erasure request;
  • Whether Apple complied with the principles of transparency and the provision of information in terms of notifying the Complainant that a hashed value of his email address was retained following the processing of his erasure request.

As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR. The DPC submitted its draft decision to the supervisory authorities concerned.

Following consultation and agreement from the supervisory authorities concerned, the DPC adopted its decision in accordance with Article 60(7) of the GDPR.

In its decision, following the investigation of the complaint against Apple, the DPC made the following findings:

  • The DPC is satisfied that Apple validly relied on Article 6(1)(f) of the GDPR as the lawful basis for retaining a hashed value of the Complainant’s email address in this particular case;
  • The DPC is satisfied that Apple has given due consideration to the principle of data minimisation in relation to the retention of the hashed value of the Complainant’s email address;
  • The DPC is satisfied that Apple met the requirements of Articles 12 and 17 of the GDPR with regard to the processing of the Complainant’s erasure request in March 2019;
  • In the absence of specifically informing the Complainant when he made his erasure request in March 2019 of its intention to retain a hashed value of his email address, and the legal basis and legitimate interests for so doing, Apple failed to meet the transparency requirements of Article 13(1)(c) and Article 13(1)(d) at that time.

Corrective Powers Exercised:

In light of the infringements of Articles 13(1)(c) and 13(1)(d) of the GDPR, the DPC issued a reprimand to Apple pursuant to Article 58(2)(b) of the GDPR, and the DPC ordered Apple, pursuant to Article 58(2)(d) of the GDPR to review and revise its document entitled “Apple ID Deletion Terms and Conditions” to address the transparency deficiencies identified in the DPC’s decision. In addition, with regard to Apple’s project, the DPC ordered Apple to provide details of completion of this project to the DPC by 31 December 2024.

For more information, you can download a copy of the full decision at this link: Apple Distribution International Limited Final Decision - March 2024 (PDF, 9.5 MB).