A group led by privacy activist Max Schrems on Monday filed complaints with German and Spanish data protection authorities over Apple’s online tracking tool, alleging that it allows iPhones to store users’ data without their consent in breach of European law.

It is the first such major action against the U.S. technology group in regards to European Union privacy rules. 

Apple did not immediately reply to a request for comment.

The Californian tech giant says it provides users with a superior level of privacy protection. The company had announced it would further tighten its rules with the launch of its iOS 14 operating system this autumn but in September said it would delay the plan until early next year.

The complaints by digital rights group Noyb were brought against Apple’s use of a tracking code that is automatically generated on every iPhone when it is set up, the so-called Identifier for Advertisers (IDFA). 

The code, stored on the device, allows Apple and third parties to track a user’s online behavior and consumption preferences – vital for the likes of Facebook to be able to send targeted ads that will interest the user.

“Apple places codes that are comparable to a cookie in its phones without any consent by the user. This is a clear breach of European Union privacy laws,” said Noyb lawyer Stefano Rossetti. 

Rosetti referred to the EU’s e-Privacy Directive, which requires a user’s prior consent to the installation and use of such information.

Apple’s planned new rules would not change this as they would restrict third-party access but not Apple’s.

Apple accounts for one in every four smartphones sold in Europe, according to Counterpoint Research.

The claims were made on behalf of an individual German and Spanish consumers and handed to the Spanish data protection authority and its counterpart in Berlin, said Noyb, a privacy advocacy group led by Austrian Schrems that has successfully fought two landmark trials against Facebook.

In Germany, unlike Spain, each federal state has its own data protection authority. 

Both authorities did not immediately reply to requests for comment.

Rossetti said the action was not about high fines but rather aimed at establishing a clear principle whereby “tracking must be the exception, not the rule”.

“The IDFA should not only be restricted, but permanently deleted,” he said.

National data protection authorities have the power to directly fine companies for breaching European law under the e-Privacy Directive. 

Noyb, which has filed several complaints against Facebook and Google in Ireland and complained that the national data protection commission has been slow to take action, said it hoped for the Spanish and German authorities to act more quickly.

(Reporting by Kirsti Knolle. Editing by Jane Merriman and Louise Heavens)