• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch

2

MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year

3

The Supreme Court's birthright citizenship ruling hands the U.S. economy a $7.7 trillion win

1

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch

2

MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year

3

The Supreme Court's birthright citizenship ruling hands the U.S. economy a $7.7 trillion win
TechPrivacy

Apple’s Routing of User Data to Google Could Be Breaking EU Privacy Law

By
David Meyer
David Meyer
Down Arrow Button Icon
By
David Meyer
David Meyer
Down Arrow Button Icon
October 15, 2019, 12:05 PM ET
Add Fortune on Google for similar content.

Apple is an unusually privacy-focused company in the Big Tech world, so its potential violations of user privacy tend to gather a lot of attention.

This proved to be the case with a report last week from the privacy site Reclaim the Net, which noted that Apple’s Safari browser sometimes sends information about the sites users are visiting off to Google and China’s Tencent, to check whether or not those webpages are fraudulent. The report particularly focused on Tencent’s alleged ties to the Chinese Communist Party.

Apple responded yesterday by explaining how the mechanism in question—the Safari Fraudulent Website Warning—is designed to protect privacy.

However, experts say this may break a key privacy law in the European Union because users do not give their explicit consent to their data being shared in this way.

Here’s how Apple’s Fraudulent Website Warning system works: The Safari browser alerts users when they visit websites that are known to be fraudulent—for example, websites trying to fool people into thinking they are other sites, so as to con them into divulging passwords. This information is regularly updated, with the underlying data coming from Google and—for users located on the Chinese mainland—Tencent.

As Johns Hopkins cryptography professor Matthew Green explained in a Sunday blogpost about the situation, Google’s current approach to flagging up fraudulent sites does not involve sending the company every web address (or URL) that a user visits‐the privacy implications of that would obviously be horrendous.

What happens instead is that Google creates a “hash” of each unsafe URL in its database. In other words, its algorithm translates the address into a mathematical representation, in a way that allows a visited URL to be checked against that entry (since the algorithm would always turn it into the same string of characters) but that does not allow reverse-translation back to a recognizable web address. Google then abbreviates these hashes and sends the short versions off to browsers such as Safari.

The browser creates a hash of each web address its user is trying to visit, and checks it against its list of Google- or Tencent-provided abbreviated hashes. If there’s a match, Safari then asks the provider for the full-length hash, to make sure if the site is fraudulent or not.

In theory, that means Google (or Tencent) does not get to monitor Safari users’ surfing habits. However, as Green noted: “The weakness in this approach is that it only provides some privacy. The typical user won’t just visit a single URL, they’ll browse thousands of URLs over time. This means a malicious provider will have many ‘bites at the apple’ (no pun intended) in order to de-anonymize that user.”

Apple stressed in its statement that Tencent only received data from users with their region set to China, adding: “The actual URL of a website you visit is never shared with a safe browsing provider and the feature can be turned off.”

The system may be designed to protect users from phishing attacks that fool them into handing over bank passwords and the like, but—because people have to opt out of this system, rather than opting in—it could also fall foul of EU online privacy rules.

The rule in question is not the much-feared General Data Protection Regulation (GDPR) that came into effect last year, threatening fines of up to 4% of global revenues for severe violations. While many know the GDPR as a law that requires users’ consent for handling their personal data, it is in fact more flexible than that—another legal basis for data processing is acting in the “legitimate interests” of the data subject, and fraud protection probably falls into this category.

Instead, the law Apple might be breaking is the ePrivacy Directive of 2002, which specifically deals with electronic communications—this law is best known as the one that forces sites to display “cookie” notices, though it is more wide-ranging than that.

According to Michael Veale, a lecturer in digital rights and regulation at University College London in the U.K., there are “certainly questions” about whether Apple should be asking for explicit consent before sending Google user data, even if it’s just abbreviated hashes.

That’s because the ePrivacy Directive becomes an issue when a company accesses data from a user’s “terminal device” (such as a phone) for a purpose that is not essential to the service being provided (in this case, the browser.) In such circumstances, Veale said, “GDPR-quality consent” is required.

“Arguments would exist both ways, but there’s definitely a possibility that consent would be required,” Veale said. “It’s strange Apple did not ask for one-off opt-in consent, but they may well be wary of asking individuals if the company they perceive as privacy-friendly can send even redacted browsing data to Google.”

Even if Apple has broken the EU ePrivacy Directive here, it is unlikely that it would suffer a serious punishment.

The directive is now ancient in tech-world terms, and it gives individual EU countries discretion over the fines they can levy for transgressions. So, while GDPR violations can theoretically lead to fines in the billions of dollars, the U.K. for example has a $630,000 cap on ePrivacy fines.

The ePrivacy Directive was supposed to have been replaced by a tougher ePrivacy Regulation at the same time as the GDPR came into effect in May 2018, with maximum fines at the same high level as those under the GDPR. But, likely thanks to extremely heavy lobbying, the ePrivacy Regulation has been stuck in legislative limbo for the last two years. While the European Commission and Parliament have passed a draft version, the EU’s member states still haven’t been able to agree on a final version.

Apple did not respond to a question about the legality of its safe browsing mechanism under EU privacy law, instead providing a more general statement about how the system works. Google did not respond to a request for comment.

About the Author
By David Meyer
LinkedIn icon
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Tech

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Tech

How foodservice giant Sodexo is embracing AI and robotics to reshape the kitchen
NewslettersCIO Intelligence
How foodservice giant Sodexo is embracing AI and robotics to reshape the kitchen
By John KellJuly 1, 2026
10 hours ago
Anthropic CEO Dario Amodei
AIAnthropic
Anthropic’s AI models are back online after a two-week government standoff—settling the company and administration into a fragile truce
By Tristan BoveJuly 1, 2026
10 hours ago
Nikesh Arora, chief executive officer at Palo Alto Networks
SuccessJobs
CEO of $248 billion cybersecurity company says workers are about to face a ‘Darwinian moment’ thanks to AI: Evolve or get cut
By Emma BurleighJuly 1, 2026
12 hours ago
Current price of Ethereum for July 1, 2026
Personal FinanceEthereum
Current price of Ethereum for July 1, 2026
By Joseph HostetlerJuly 1, 2026
13 hours ago
In this photo illustration, a Cisco logo is displayed on a smartphone with Artificial Intellingence (AI) symbols in the background.
AICFO Daily
Cisco is rolling out AI agents to every single one of its 90,000 employees
By Sheryl EstradaJuly 1, 2026
14 hours ago
senate
CommentaryCongress
One rare bipartisan AI bill is moving through Congress. Here’s why it deserves to pass
By Neil Björkman and Betsy BrewerJuly 1, 2026
15 hours ago

Most Popular

As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch
Big Tech
As Big Tech showers employees with perks to win the talent war, Nvidia built a nearly $5 trillion company by making people pay for their own lunch
By Marco Quiroz-GutierrezJuly 1, 2026
19 hours ago
MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year
Success
MacKenzie Scott alone accounted for one-third of America's $19.2 billion in megagifts last year
By Sydney LakeJune 25, 2026
7 days ago
The Supreme Court's birthright citizenship ruling hands the U.S. economy a $7.7 trillion win
Newsletters
The Supreme Court's birthright citizenship ruling hands the U.S. economy a $7.7 trillion win
By Diane BradyJuly 1, 2026
17 hours ago
Philanthropy leader at Warren Buffett and Bill Gates’ Giving Pledge says children of billionaires are pushing them to give their wealth away faster
Success
Philanthropy leader at Warren Buffett and Bill Gates’ Giving Pledge says children of billionaires are pushing them to give their wealth away faster
By Preston ForeJune 27, 2026
5 days ago
Elon Musk on MacKenzie Scott giving away $26 billion of her fortune: 'Sadly,' it makes the world a worse place
Success
Elon Musk on MacKenzie Scott giving away $26 billion of her fortune: 'Sadly,' it makes the world a worse place
By Sydney LakeJune 29, 2026
2 days ago
Current price of oil as of July 1, 2026
Personal Finance
Current price of oil as of July 1, 2026
By Joseph HostetlerJuly 1, 2026
14 hours ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.