The Business Model — who earns what, and how?
Before comparing individual privacy features, it is worth examining the underlying business model. It explains why Google and Apple approach user data in fundamentally different ways.
- Alphabet (Google's parent company) generates approximately 72 % of its revenue from advertising (full year 2025)
- Data from Google Photos does not flow directly into advertising — Google explicitly emphasises this
- It does, however, feed into AI systems (Gemini) when services are linked
- More data = better AI = stronger advertising network — indirectly
- Apple earns primarily from hardware sales and the App Store
- iCloud is a subscription service — Apple earns directly from usage
- Apple does not sell user data for advertising — privacy is part of its brand promise
- Nevertheless: data resides on US servers and is subject to US law
The structural difference: Google has a financial incentive to know as much as possible about its users. Apple has a financial incentive to be perceived as trustworthy. That does not automatically make Apple a privacy champion — but it explains why the two systems are built so differently.
What is analysed?
Google Photos
Google Photos analyses uploaded photos and videos using AI algorithms. According to Google's own privacy notice for Gemini features in Google Photos (as of January 2026), Google processes images in order to:
- Automatically recognise subjects, locations, people, and activities, making them searchable
- Evaluate EXIF metadataEvery photo contains invisible metadata: GPS coordinates, time, camera model. Google reads this data and displays photos on a map. (GPS coordinates, time, camera model)
- Draw inferences about people — according to Google, this includes estimates of the age and whereabouts of the most frequently appearing faces in a library
- Create automatic memories, collages, and albums
Anyone who links Google Photos with Gemini (Google's AI assistant) discloses considerably more: according to Google's own help text, summaries and inferences derived from photos may be used to train AI models — and information from these conversations may be shared with other Google services and third-party providers. Google simultaneously states: "Your personal data in Google Photos is never used for advertising."
Apple Photos / iCloud
Apple analyses photos primarily locally on the device, not on servers. According to Apple's privacy notice for the Photos app:
- Face recognition and people grouping runs on the iPhone/iPad — not in the cloud
- The "Enhanced Visual Search" feature (searching for landmarks and places) compares data confidentially against an index on Apple servers — but only in anonymised form
- Apple does not use iCloud Photos for advertising
Google: Analysis takes place primarily on Google's servers — Google has technical access to unencrypted image data for AI processing.
Apple: Analysis takes place primarily on your own device (On-Device ProcessingThe AI runs directly on the iPhone or iPad — images do not leave the device for analysis. This protects privacy but requires more processing power on the device itself.) — iCloud receives the encrypted photos, not the results of the analysis.
Encryption — who has access?
This is the biggest structural difference between the two services — and the most complex, because it depends on the settings chosen.
Google Photos
Google Photos encrypts photos in transit and on servers. However: Google holds the encryption keys itself. This means Google can technically access the photos — for AI analysis, for law enforcement agencies on a court order, or theoretically in the event of a server-side data breach. End-to-end encryption is not available with Google Photos.
Apple Photos / iCloud
Apple has a two-tier system here — and it is crucial to understand the distinction:
- Encryption: Yes — but Apple holds the keys and can decrypt if required
- Apple access: Theoretically possible, e.g. on a court order
- Forgotten password: Apple can assist with account recovery
- iCloud.com: Works normally in the browser
- Encryption: End-to-end — only your own devices hold the keys; Apple cannot decrypt
- Apple access: Not possible — even Apple itself cannot gain access
- Forgotten password: Only via your own Recovery Key — no support available
- iCloud.com: Disabled by default — only accessible with confirmation on the device
To enable Advanced Data Protection: Settings → [your name] → iCloud → Advanced Data Protection. According to Apple Support, it then protects the majority of iCloud data with end-to-end encryption — including Photos, Backups, and Notes.
Google LLC is based in the USA. Apple Inc. is based in the USA. Both are subject to the CLOUD ActUS law from 2018: compels US companies to hand over data at the request of US authorities — even if that data is stored on servers outside the USA. Applies to all US corporations. of 2018, which grants US authorities extensive data access rights — including data stored on servers outside the United States. Apple has server locations in the USA, Asia, and the EU — which location applies to your account is not publicly selectable. Advanced Data Protection (ADP) substantially mitigates this risk: even US authorities would receive only encrypted data for which Apple holds no keys.
Face Recognition & Metadata
Face Recognition
Google Photos: In Germany and Europe, people grouping is disabled by default according to Google's Safety Centre (GDPR). Anyone who enables it allows Google to create biometric facial models. In the USA this was active without an opt-in — which brought Google a lawsuit and a $100 million settlement in the state of Illinois in 2022.
Apple Photos: Face recognition runs locally on the device, according to Apple's privacy page for Photos. The assignment of names to faces remains on the device — Apple itself sees no biometric data.
GPS and Metadata
Every photo taken with a smartphone contains GPS coordinates by default in the EXIF metadataInvisible data in every image file: exact GPS location, time, camera model, aperture, exposure time. Transmitted when uploading unless disabled.. Both services read and use this information — for map views and location search. With Google, location data in the map view is visible only to the user themselves by default. When sharing photos, the precise location may be transmitted — with both services.
Direct Comparison at a Glance
In direct comparison, Apple Photos is structurally well ahead on privacy — primarily due to local face recognition and the option for genuine end-to-end encryption via Advanced Data Protection. Anyone using an iPhone with ADP enabled has one of the more private photo cloud solutions available on the market.
Google Photos analyses photos server-side — that is the technical core of the problem. Google insists it does not use this data directly for advertising. That is plausible. But the infrastructure that analyses photos on Google's servers is the same infrastructure that builds Google's comprehensive data profile across billions of users. That is a structural risk that no privacy setting can resolve.
Nevertheless, Apple is no free pass: without Advanced Data Protection enabled, standard encryption applies — Apple holds the keys, and as a US company, Apple is subject to the CLOUD Act. The difference from Google here is one of degree, not of principle.
What we use ourselves: Neither Google Photos nor Apple Photos — we run Immich as a self-hosted alternative. Why, and what options exist, is covered in the next article.
Sources:
Google – Privacy notice for Gemini features in Google Photos (January 2026) ·
Google – Safety Centre for Google Photos ·
Apple – Privacy notice for the Photos app ·
Apple Support – Advanced Data Protection for iCloud ·
dr-datenschutz.de – iCloud privacy check ·
GoogleWatchBlog – Google Photos face recognition Illinois lawsuit 2022