News

Apple-sponsored paper misinterprets Data Protection law over first- and third-party data debate

On April 26 2022, an Apple-sponsored Columbia Business School paper was published, arguing that Apple has not benefited from the implementation of their new App Tracking Transparency (ATT) feature.

However, the paper misinterprets key points in the debate around personal data and privacy, and fails to properly address well publicised concerns around ATT.

The paper fails to grasp the most basic understanding of General Data Protection Regulation (GDPR). Instead, it repeatedly frames the issue of data protection along the lines of Apple’s definition of “tracking”, carried out by third-parties, as entirely separate and distinct from use of data by first parties, or the app/domain that users are directly interacting with.

It justifies this framing by citing a dated study the paper claims to indicate public distrust of third-party data handling. However, much has changed in four years, including a rapid drop-off in trust for big tech first parties. The cited public unease around ad personalisationfrom a similarly dated study – is not a third-party specific issue – as first party data can perform the same function.

The UK’s Information Commissioner’s Office (ICO), an independent regulator dealing with GDPR produced a joint statement with the UK Competition & Markets Authority in May 2021 clearly addressing this issue saying:

There is no explicit reference to the distinction between first-party and third-party data in data protection law… This is not a rigid distinction. Some functions typically delivered through third party cookies can be done via first party cookies, even if a third party’s code and associated service is still involved.”

An ICO opinion paper entitled ‘Data protection and privacy expectations for online advertising proposals’, published in November 2021, further reinforces this point:

“The Commissioner is aware of a view by market participants about how data protection law regards these concepts. For example, that first party has an inherently lower risk than third party. The Commissioner rejects this view.”

Ultimately what matters is the risk of harm to people related to abuses of personal data, regardless of the “partiness” of the entity involved.

By focusing on a false first-/third-party dichotomy, ATT throttles non-first-party data streams, meaning user data will increasingly pool in the hands of large first-party players. Movement for an Open Web produced a three minute explainer video in 2021 to demonstrate how big tech is advantaged by perpetuating this narrative. If privacy is the cause for this move, the question must be asked: is anyone’s privacy improved when Apple and Co. hold a monopoly on data, knowing more about people even more of the time?

A person making a card transaction, an example of an everyday interaction that uses third-party data

Third-party data is a fact of daily life; credit card transactions in supermarkets or on a website are facilitated by many third-party business to business (B2B) vendors. In everyday life, we do not have the option to demand a retailer does not use certain payment gateways – so why do Apple and others think they should have such a right online?

There is clearly concern around privacy and the use of personal data in advertising, with a need for transparency and consent within this process. However, Apple and its big tech peers have consistently muddied the water around this privacy debate, in this case using a dated 2018 poll to show distrust for third-parties as their rationale for a totally misguided course of action.

This paper falls into the well-trodden pattern of misdirecting regulators and consumers about the terms of the conversation. This does not protect us or our data. Instead, it distracts from the real issue: Apple’s ill-begotten attempts to unfairly bias against third-party competitors.


(Header image courtesy of Towfiqu Barbhuiya via Unsplash. Body image courtesy of Clay Banks via unsplash. Licensed for free use under the Unsplash License.)