Apple has released a report highlighting its concerns about how some companies could "weaponize" the EU's Digital Markets Act (DMA) interoperability requirements to access sensitive user data. The report came on the same day that the European Commission began consulting on the proposed measures for requesting interoperability with Apple's iOS and iPadOS operating systems.
The DMA, which came into force this year, requires major platform holders like Apple to provide third-party developers equal access to iOS and iPadOS system tools and features. One of the Commission's proceedings focuses on the process Apple has set up to address interoperability requests submitted by developers and third parties for iOS and iPadOS. While Apple says it is fully committed to complying with the interoperability regulations, which aim to create fair competition, it is worried about unintended consequences resulting from the law's interpretation that could have a negative impact on user privacy.
Apple's report specifically calls out Meta, which has made 15 separate requests "and counting" for access to Apple's technology stack. According to Apple, Meta's requests have included access to features like messaging capabilities, AirPlay, CarPlay, and the App Intents framework. If granted as requested, Apple warns that these permissions would potentially allow Meta's apps to access a range of user data spanning messages, phone calls, photos, app usage, and passwords on their devices.
"In many cases, Meta is seeking to alter functionality in a way [...] that appears to be completely unrelated to the actual use of Meta external devices, such as Meta smart glasses and Meta Quests," says Apple. The report continues:
"If Apple were to have to grant all of these requests, Facebook, Instagram, and WhatsApp could enable Meta to read on a user's device all of their messages and emails, see every phone call they make or receive, track every app that they use, scan all of their photos, look at their files and calendar events, log all of their passwords, and more. This is data that Apple itself has chosen not to access in order to provide the strongest possible protection to users."
Apple in the report is keen to emphasize its longtime support for developer access to device features through more than 250,000 APIs, but always with built-in privacy protections. The company points to historical examples like TouchID implementation and microphone access, where developers can take advantage of these features while maintaining privacy and control safeguards.
The report expresses particular concern about companies with previous privacy violations potentially circumventing GDPR protections through DMA requirements. Apple notes that while it processes data on-device whenever possible, other companies might use that information for their own gain. "Third parties may not have the same commitment to keeping the user in control on their device as Apple, and may prefer to move user information to their servers—where they can combine, profile, and monetize an individual's private data," Apple warns.
Apple's publication underlines its commitment to reviewing and implementing interoperability requests as per the DMA when feasible, but the company argues that solutions must preserve platform integrity and protect sensitive user data. As a way to achieve this, Apple outlines its four-step process for handling interoperability requests that includes initial assessment, project planning, development, and release phases.
"We will never abandon our bedrock commitment to our users' privacy and security," adds Apple. "We trust that the EC will seek to implement the interoperability requirements in a manner that respects the GDPR."
Meta yesterday responded to Apple's criticisms, claiming that "Every time Apple is called out for its anti-competitive behavior, they defend themselves on privacy grounds that have no basis in reality." However, Meta itself has previously come under criticism for privacy violations several times. Just this week, the UK's Ofcom said it was opening an investigation into Meta's Instagram for "turning a blind eye to ads for child sex abuse," while a new report by MLex said that more than half of UK scams involve Meta platforms.
Meta has also been fined €251 million ($265 million) by Ireland's Data Protection Commission for a 2018 Facebook breach affecting three million accounts in Europe, exposing names, contact details, locations, and children's data. Meta is expected to appeal the decision.
The Commission's interoperability proceedings began in September 2024 and are set to conclude within six months of opening.
Note: Due to the political or social nature of the discussion regarding this topic, the discussion thread is located in our Political News forum. All forum members and site visitors are welcome to read and follow the thread, but posting is limited to forum members with at least 100 posts.
