Speaking in the well of the European Parliament in the Espace Léopold in Brussels, Belgium, on Oct. 24, Apple CEO Tim Cook delivered a forceful call for a global movement to protect privacy similar to what the European Union has done with the General Data Protection Regulation, which went into effect in May. Calling privacy a “fundamental human right,” Cook pushed for legislation in the United States that provides similar protections.
Cook said technology companies are becoming what he called a “data industrial complex,” echoing the words of former President Dwight Eisenhower, who lamented the growth of the military industrial complex at the beginning of the Cold War. Cook said that such companies know you better than you know yourself. He wondered, “What kind of world do we want to live in?”
That Cook would make such a strident call for greater privacy protections isn’t surprising. Apple began ramping up privacy protections on its own following the revelations of former National Security Agency (NSA) contractor Edward Snowden, among other things delivering a level of end-to-end encryption sufficiently effective that agencies of the U.S. government have had to ask for help to crack iPhones during investigations.
Following the revelations that Facebook shared the data of 87 million users with Cambridge Analytica, Apple raised its privacy profile even higher, saying at the time that the company will never seek to monetize its users’ data.
Cook’s speech met with a mixed reaction in the technology industry. On one hand, Microsoft’s vice president and deputy general counsel for privacy and regulatory affairs, Julie Brill, expressed in a tweet strong support for Cook’s speech, saying that Microsoft applauds his support for a strong privacy law.
Speaking by video after Cook, Google’s CEO Sundar Pichai said that Google is looking at the ways it collects and uses user data, and might make it easier to delete some of it. Notably, the EU’s privacy laws give people a “right to be forgotten,” which Google is required to honor. Cook’s speech indicates that Google and other big data collectors including Facebook should be required to meet that standard.
Some critics have charged that Apple’s push for a strong privacy regulation is a cleverly hidden effort to hurt other big tech companies, including Google and Facebook, even though Cook never mentioned either company. However, it’s not clear that those charges really hold water. If anything, Apple’s strong privacy stance has hurt the company at some levels, earning enmity in Washington for its strong encryption and its unwillingness to cave into government demands that it either weaken it or provide a back door. When faced with demands by the FBI that it provide a crackable version of iOS following a mass shooting in San Bernardino, Calif., Apple simply refused. While the company does, in fact, help law enforcement agencies with appropriate court orders to get into its devices, it does not give into such demands without an order.
Is Apple Part of the Problem?
Others suggest that Apple is also part of the problem. “Tim Cook takes a break from virtue signaling to throw rocks at Google and Facebook, because he wants to position himself and Apple as the good guys whilst the others are vulnerable,” said Colin Bastable, CEO of Lucy Security, in a prepared statement. “His message is right, but Apple is also part of the problem. These players hold massive quantities of data, and we should never assume that they will ever have our best interests at heart.”
To date, privacy legislation of the type that Cook is calling for does not appear to be in the works in Washington. However, the state of California has in fact passed a comprehensive privacy law that will affect companies that do business in California, but that law lacks the teeth of the EU’s General Data Protection Regulation (GDPR), which can impose fines of up to 4 percent of a company’s global revenue for infractions.
In addition, there seems to be little appetite for such privacy legislation among technology trade groups. So far, there’s no evidence of a major trade association calling for anything like the GDPR for the U.S., probably because the members of those groups worry about losing the ability to monetize user data and also because they worry about compliance. Despite years of warning and preparation, there are many companies that haven’t found a way to comply with the GDPR, and there’s no reason to think that things would be different in the U.S.
However, there’s no question that Apple is the big dog in this fight, and that could give some legislators the support they think they need to introduce measures that follow California’s lead. But even with that, such a move in the U.S. is probably years if not decades in the making. Currently there’s no infrastructure to support such a move, no agency with GDPR-like powers and no agency, except perhaps the FTC, that even focuses on privacy at all.
Instead, privacy is parceled out in accordance with specific laws, such as HIPAA. At this point, the best Apple can hope for in the short term is to be an island of privacy protections in a sea composed of the data industrial complex.