DPC (Ireland) - Inquiry into Apple Distribution International Limited - March 2024
DPC - Inquiry into Apple Distribution International Limited - March 2024 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 6(1)(f) GDPR Article 12(1) GDPR Article 13(1) GDPR Article 17(1) GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 25.10.2021 |
Decided: | 07.03.2024 |
Published: | |
Fine: | n/a |
Parties: | n/a |
National Case Number/Name: | Inquiry into Apple Distribution International Limited - March 2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | DPC (in EN) |
Initial Contributor: | lm |
The DPA found that Apple could retain a data subject's hashed email address as a security measure after receiving an erasure request. However, the DPA found Apple did not inform the data subject about such processing in violation of Article 13 GDPR.
English Summary
Facts
On 3 March 2019, a data subject made an erasure request to Apple (the controller) in respect of his Apple ID. The controller confirmed that it was handling the erasure request and stated that when the account was deleted, the data stored with Apple would also be permanently erased. However, the controller continued to retain a hashed value of the data subject’s email address. It did not inform the data subject that it would retain this data.
The data subject later attempted to create a new Apple account using his email address, and was notified by Apple that the email address could not be used as it was already linked to another Apple account. Realising his deletion request had not been honoured, the data subject filed a complaint with the Irish Data Protection Commission (DPC) on 25 October 2021. The DPC commenced an inquiry in November 2022.
In response to the complaint, the controller submitted that it had retained this data for the purposes of its legitimate interests, including to be able to demonstrate compliance with its security obligations under Article 32 GDPR, prevent recycling of namespaces by users, protect users against fraud and security breaches by third parties, and demonstrate compliance with a user’s request to delete their Apple ID. While the period of retention was not yet certain, the controller informed the DPC that it convened with its security teams to review the period for deletion at some fixed time.
The DPC’s inquiry considered the following:
- Whether the controller had a lawful basis for retaining the hashed email address after an Article 17 GDPR erasure request had been made;
- The period for which the controller intends to retain the hashed email address;
- Whether the controller met the obligations in Articles 12(1) and 17(1) GDPR in processing the erasure request;
- Whether the controller complied with principles of transparency in terms of notifying the data subject of the retention of the hashed email value.
Holding
The DPC found that controller validly relied on Article 6(1)(f) GDPR as the legal basis for retaining a hashed value of the data subject’s email address. The DPC also determined that Apple satisfied Articles 12 and 17 GDPR in carrying out the data subject’s erasure request and considered that the controller satisfied principles of data minimisation in retaining the hashed value. However, the DPC found that in failing to inform the data subject of its intention to retain a hashed value of his email address, the controller failed to meet transparency obligations of Articles 13(1)(c) and 13(1)(d) GDPR.
Legal basis: The DPC found that Apple has a legal basis in Article 6(1)(f) GDPR. It recognised a legitimate interest in demonstrating compliance with the deletion request and security obligations, as well as to prevent recycling of namespaces and to protect users against fraud. In a portion of the decision that is largely redacted, the DPC also determines that Apple demonstrates necessity. Finally, the DPC was satisfied that Apple’s legitimate interests in retaining the hashed value of the data subject’s emails were not overridden by his rights and interests. It considered that the retention of data was an expected behaviour, the controller had safeguards in place, and data subjects can object and explain their interests so that the controller may assess whether they override its legitimate interests. Notably, “Apple stated that thus far it has not received a case which it has determined meets that criteria.”
Period of retention: The DPC notes that Apple’s ongoing retention of the hashed values is “strictly necessary” to enforce its policy of preventing reuse of an email address. It notes that the controller does not intend to retain the data indefinitely without periodic assessment. The DPC found that this indicated “due consideration” to the principle of data minimisation, resulting in no infringement of Article 5(1)(e) GDPR.
Compliance with erasure request: The DPC noted that the controller informed the data subject of the upcoming deletion upon receiving the request, and that it properly initiated the deletion within one month of receipt of the request. Thus, the controller carried out its obligations under Articles 12(1) and 17(1) GDPR.
Transparency: The DPC concluded that the controller’s failure to specifically inform the data subject when he made his erasure request in March 2019 of its intention to retain a hashed value of his email address, as well as the legal basis for doing so, infringed the transparency obligations of Articles 13(1)(c) and 13(1)(d) GDPR.
The DPC issued a reprimand for the infringements of Article 13 GDPR and ordered the controller to review and revise its document titled “Apple ID Deletion Terms and Conditions” to address transparency deficiencies.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.