Privacy watchdogs in Europe are considering a complaint against Apple filed by a former employee, Ashley Gjøvik, who alleges the company fired her after she raised a number of concerns, internally and publicly, including about security on the Internet. Workplace.
Gjøvik, a former senior manager of Apple’s engineering program, was fired from the company last September after she also raised concerns about her employer’s approach to staff privacy, some of which was covered by The Verge in a report. in August 2021.
At the time, Apple had placed Gjøvik on administrative leave after raising concerns about sexism in the workplace and a hostile and unsafe work environment that it had said it was looking into. She subsequently filed complaints against Apple with the US National Labor Relations Board.
Those earlier complaints tie in with the privacy complaint he has sent to international oversight bodies now because Gjøvik says he wants scrutiny of Apple’s privacy practices after he formally told the US government of invasions of privacy.” , as she puts it, accusing Apple of using her concerns about its approach to staff privacy as a pretext to fire her. to report broader safety concerns and organize with other employees about workplace concerns.
The UK Information Commissioner’s Office (ICO) and France’s CNIL confirmed receipt of Gjøvik’s privacy complaint against Apple.
An ICO spokesperson told TechCrunch: “We are aware of this matter and will evaluate the information provided.”
France’s CNIL also sent confirmation that it is looking into Gjøvik’s complaint.
“We have received this complaint which is currently being investigated,” a CNIL spokesperson told us, adding: “I cannot communicate any further details at this time.”
The development was first covered by the Telegraph — who reported yesterday that it is I thought it was the first time Gjøvik has tried to press his privacy complaint against Apple in the UK.
The Irish Data Protection Commission (DPC), which is Apple’s lead data protection regulator in the European Union for the EU’s General Data Protection Regulation (GDPR), and which, under the one-stop mechanism sole part of the regulation, I would probably take the initiative. role in any query related to a GDPR complaint that has also been filed with other EU privacy regulators (such as France’s CNIL), declined to comment. The DPC would neither confirm nor deny receiving Gjøvik’s complaint.
A DPC spokesman said: “The DPC cannot comment on individual cases. All inquiries brought before the DPC are assessed and progressed in accordance with the DPC’s complaint handling functions, where appropriate to do so.”
Ireland has a number of ongoing GDPR investigations into Apple’s data processing practices, including the company’s privacy policies, but the DPC has yet to issue any decisions in relation to those multi-year investigations.
If the DPC were to decide that this complaint warranted opening a new investigation into Apple, it would likely take years to reach a public outcome given the Irish regulator’s vast backlog of GDPR case files.
In a conclusion to the complaint, Gjøvik urges regulators to “investigate the issues I raised and open a broader investigation into these issues within Apple’s corporate offices around the world,” further alleging: “Apple asserts that the rights Humans do not differ by geographic location, yet Apple also admits that the French and German governments would never allow it to do what it is doing in Cupertino, California and elsewhere.”
Face ID Gobbler App
The 54 pages “invasion of privacy complaint,” which Gjøvik says was filed with European regulators earlier this month, raises issues with the company’s approach to employee privacy, raising concerns about a number of practices, including an internal Apple program to collect biometric data from staff using an app called “Gobbler” (later “Glimmer”), apparently as part of the product development process for Face ID.
More broadly, the complaint focuses on the breadth of Apple’s “anti-employee privacy” and secrecy policies, as well as what Gjøvik alleges are “unlawfully restrictive” NDAs.
Apple was contacted for comment on the complaint, but at the time of writing the company had not responded.
The tech giant’s approach of inviting employees to participate in product tests involving biometric data capture sometimes made Gjøvik feel their participation was mandatory, according to the complaint, and in one case she details, she describes how she responded. to what she thought was a “mandatory social event” that turned out to involve manually testing Face ID using the Gobbler app while cooped up in a secure outdoor enclosure in bright sunlight.
According to the complaint, information Apple internally provided to staff about Gobbler prompted employees to upload data from the app captured in their homes.
“Apple was pressuring employees to upload their ‘face-print data’ to Apple’s internal servers, capturing secret photos and videos of employees, and told employees that face-related records were automatically uploaded from their iPhones every day,” Gjøvik alleges.
“It was not very clear what data was loaded automatically, how and when”, he also states. “My open questions included whether my personal data was be backed up to employee iCloud backups, synced via iCloud, and/or accessed/copied by Apple corporate MDM profiles, or other Global security surveillance of employee phones. Also it annoyed me that the app was taking photos/videos without any notification (sound, signal, etc), which made me think that Apple, if I wanted, I could activate the cameras on my device and look at myself without Me knowing at any time too. I have spoken to other employees, including managers, with similar concerns.”
Gjøvik cites a public statement by Apple that more than a billion images were used in the development of its Face ID algorithm, claiming that the company never responded to questions posed by Senator Al Franken, who asked him where those images came from later. of the launch of Face ID. . “Than [Apple VP Craig] Federighi did not say that these images came from employees like me, whether he wanted to share them or not,” he suggests.
According to the complaint, Apple informed staff of restrictions on employees uploading data to Gobbler in countries outside of the US, though the complaint also cites an email from an Apple manager claiming that one such study was was performing in “the US, Brazil, Tel Aviv, and the EU” but not France or Germany.
“I also saw in the notes that the app was banned in Japan and China, but then at some point Apple decided to collect some logs there anyway,” Gjøvik suggests.
Apple has offices across Europe, including in the UK, France, Ireland, and elsewhere in the region, so it’s at least possible that employees in those locations used the Gobbler app to upload their biometrics. If that were to happen, it could involve data protection considerations, such as what legal basis Apple might rely on to process this data. But it remains to be seen whether the European regulators who have received his complaint decide there is something here for them to investigate.
Under the GDPR, consent is one of several possible legal grounds for processing personal data. However, for consent to be a valid legal basis, it must be informed, specific and freely given, and even setting aside questions about whether staff were adequately informed about what would be done with their biometric data, a dynamic of Employer-employee power could undermine their ability to consent freely (ie, versus feeling that they must participate in such tests because their employer asks). So there could be reasons for closer scrutiny.
Gjøvik’s complaint was also addressed to the European Data Protection Supervisor (EDPS), although a spokesperson for the body confirmed that the EDPS would not investigate such a matter as its supervisory role is focused on the EU institutions, bodies or agencies themselves. .
The complaint also lists Canada’s Office of the Privacy Commissioner as another body it has applied to, along with digital rights groups EFF and Big Brother Watch.
Beyond the Gobbler/Glimmer app, Gjøvik expresses concern about the potential for Apple’s software development ticket/bug reporting system to collect personal data without staff being properly informed, stating that the system shares reports default full-featured software engineering company (potentially tens of thousands of people). It also says these tickets could ask employees to include diagnostic files, which Gjøvik suggests could result in additional personal data from an employee’s personal device, like their iMessages, for example, being transferred to Apple without them. the employee is fully aware.
In last year’s The Verge article, which quoted Gjøvik and several other Apple employees, it was reported that company staff were routinely asked to link their personal Apple ID to their work account.
“The mix-up of personal and work accounts has led to some unusual situations, including Gjøvik’s alleged obligation to turn over compromising photos of herself to Apple lawyers when her team was embroiled in an unrelated legal dispute,” it reported. The Verge, before referencing what he described. as a “strict employment agreement that gives Apple the right to conduct extensive surveillance of employees, including ‘physical, video, or electronic surveillance,’ as well as the ability to ‘search your work space, such as filing cabinets , desks, and offices (even if they are closed), review phone records, or search any non-Apple property (such as backpacks, purses) on company premises.
Another Apple policy highlighted in the Verge report was a ban on staff erasing devices before returning them to the company, even when they leave Apple, suggesting that employees who have linked their personal Apple IDs to their accounts work are potentially exposing privacy data to the company. company when they return corporate devices.