A former Apple employee has filed complaints with several European privacy regulators in the hope that it will lead to more scrutiny of the tech giant’s employee data collection practices. As TechCrunch reports, Ashley Gjøvik was fired by the company in September, after suggesting that Apple was infringing on the privacy rights of people it had hired.
While Gjøvik worked at Apple’s Cupertino offices in California, she believes that her complaint is of interest to European regulators because Apple has offices in the UK, France, Ireland, and elsewhere. She believes that its treatment of employees may run afoul of the European Union’s stricter data protection laws. The UK’s Information Commissioners Office and France’s CNIL both confirmed that they have received Gjøvik’s complaint, though Ireland’s Data Protection Commission did make any comment. The latter is Apple’s primary regulator in the EU, and has already opened several investigations into the company.
The crux of Gjøvik’s complaint stems from the development of Apple’s Face ID technology. Apple has stated publicly that it used more than 1 billion images to train its matching algorithm, and many of those images were harvested from staff through an internal application called Gobbler (later renamed Glimmer). The tech giant encouraged staff to upload photos of their own volition, but also ran mandatory work events that made it seem as if data sharing was required for those who wanted to remain with Apple.
At the same time, Apple was allegedly harvesting additional data from employees without their knowledge. For example, Gjøvik claims that Apple automatically pulled data from employee devices, to the point that it would capture photos and videos without so much as indicating that a camera had been activated. Apple did inform staff that face logs were being uploaded from employee iPhones on a daily basis, but there was still a lot of ambiguity about what was being shared, and who had access to what information within the company.
“It disturbed me that the app was taking photos/videos without any notification (sound, signal, etc), which made me think that Apple, if it wanted to, could activate my device cameras and watch me without me knowing at any time as well,” said Gjøvik.
As it relates to the EU, Gjøvik acknowledged that Apple had different data collection policies for employees in different offices. For instance, those in France or Germany were told not to upload anything through Gobbler, a stance that indicates that Apple was aware that the app most likely violated GDPR regulations. It also means that Apple could be liable if anything did get uploaded from France, Germany, or another location. Even if an employee gave consent, European regulators could rule that informed consent cannot be given in an employee-employer scenario with such an extreme power imbalance.
In the meantime, Gjøvik is trying to make the public more aware of Apple’s invasive treatment of its employees. She has previously filed complaints with the U.S. National Labor Relations Board, and sent her new 54-page complaint to Canada’s Office of the Privacy Commissioner and privacy watchdogs EFF and Big Brother Watch in addition to the European regulators.
“Apple claims that human rights do not differ based on geographic location, yet Apple also admits that French and German governments would never allow it to do what it is doing in Cupertino, California, and elsewhere,” said Gjøvik.
Apple reportedly forced staff to sign extremely restrictive NDAs, and encouraged people to link personal Apple IDs to their work accounts. The company also banned the wiping of devices before they were returned, which ensured that they would still have access to any personal information employees may have stored.
It is not yet clear whether or not any of the recipients will take up Gjøvik’s complaint. If they do, it could still be several years before they reach any kind of resolution.
April 12, 2022 – by Eric Weiss