Privacy Governance

At Apple we design our products and services according to the principle of privacy by default and collect only the minimum amount of data necessary to provide our users with a product or service.  We also deploy industry-leading consent mechanisms to allow our customers to chose whether to share data such as their Location, Contacts, Reminders, Photos, Bluetooth Sharing, Microphone, Speech Recognition, Camera, Health, HomeKit, Media & Apple Music and Motion & Fitness Data with apps. 

Apple has a cross-functional approach to privacy governance.  Privacy governance covers all areas of the company and includes both customer and employee data.  The Legal Team has a Senior Director in charge of Privacy and Law Enforcement Compliance who reports directly to Apple’s General Counsel.  Apple also has a Privacy Engineering Team that partners with the Privacy Legal Team and dedicated Product Counsel to design products from the ground up to protect customer privacy. Apple also has a Privacy Board made up of a cross functional group of senior representatives of Internet Software and Services, Software Engineering, Government Affairs, Product Marketing, Corporate Communications and Privacy Legal.  The Privacy Board addresses privacy issues for escalation to Apple’s executives.  The Audit and Finance Committee of the Board of Directors assists the Board of Directors with the oversight and monitoring of privacy and data security.

All Apple employees are required to take annual training on Business Conduct.  Privacy training is an essential part of Business Conduct Training.  Apple requires its employees who have access to Apple customer data and personal information to undergo a Privacy Training course on a bi-annual basis.  There is also additional training provided to employees who handle sensitive personal information or as required by local law. 

As part of our EU General Data Protection Regulation (GDPR) work, we are undertaking Privacy Impact Assessments (PIA) of our major products and services and integrating PIAs as we develop new products and services.  We also fully assess all acquisitions.  These PIAs take into consideration how laws affect privacy and assess any associated privacy risks.  Apple also regularly engages with a wide range of civil society representatives globally on various privacy issues including privacy by design and encryption.  

Apple maintains current ISO 27001 and 27018 certifications.  Apple undergoes yearly re-audits in order to receive these certifications.

Data Security and Incident Response

To make sure your personal information is secure, we strictly enforce privacy safeguards within the company.  This means we use access management and access controls commensurate with the risk to data to ensure access to data is associated with a business need, such as providing you with support.  Our iOS Security White Paper provides in-depth technical details as to how we have designed our products and services to protect your security including on iOS, iMessage, FaceTime, ApplePay, and iCloud.  It also contains an overview of our Security Bounty Program. Information about macOS Security can be found on our macOS Security Page.

When Apple becomes aware that it may have experienced a data security incident that might impact our users’ personal information, we investigate to learn what happened and determine what steps to take in response.  

We analyze these facts — in the context of applicable laws, regulations, industry norms, and most of all Apple’s established commitment to privacy — to determine whether we should notify affected individuals, or other relevant parties like regulators.  Apple complies with all applicable laws that require notification about data security incidents. 

That means we conduct prompt investigations and analysis, so that we can provide notification in a timely manner when necessary.  We are also committed to providing users that have been impacted by an incident with appropriate assistance, which may include information on steps they can take to reduce the risk of harm or support from AppleCare.