May 27, 2013
Recently, a court in Germany determined that the standard privacy and data use policy applied by Apple violated German law. The ruling is an example of increasingly active oversight of information privacy and data use standards. It highlights some of the key issues that are likely to be raised with respect to similar policies applied by many different organizations in a variety of jurisdictions.
German law authorizes certain consumer advocacy groups to litigate on a variety of issues, including information privacy policies and practices. The German consumer protection group, the Federation of German Consumer Association (VZBV), went to court challenging Apple’s standard information privacy practices.
The VZBV asked the court to void 15 provisions in Apple’s online privacy and data use policy. Apple agreed to modify seven of those provisions, but refused to change the other eight. After reviewing the case, the Berlin Regional Court accepted the VZBV arguments. The court ordered Apple to eliminate the remaining eight challenged provisions.
One of the key points raised in the litigation was Apple’s attempt to obtain “global consent” for use of customer data collected through the Apple website. This effort to obtain broad rights of use for customer data was deemed by the court to be illegal under German privacy law.
German law requires that individuals be made aware of specific details regarding the users and uses of their personal information. The court determined that the consent obtained by Apple was too broad and did not provide necessary specific information to consumers regarding the use of their personal information.
The German court was also asked to evaluate Apple’s practice of sharing customer data with third party advertisers. The court concluded that this information sharing with advertisers was illegal absent specific consent from the individual consumers.
Although this court’s ruling applies only to Apple’s operations in Germany, it provides some insight into potential privacy oversight actions likely to emerge in other jurisdictions, as well. Other members of the European Union have enacted privacy laws and regulations similar to those in Germany. It is likely that the German court’s action will influence courts in other EU nations to take similar actions.
All parties who collect personal information from individuals should consider the German court’s action carefully. Many organizations make use of broad consent grants similar to that applied by Apple. They also commonly rely on broad disclosures of intent to share information with advertisers.
The German court’s ruling suggests that all parties who collect personal information from individuals should review their privacy and data sharing policies and practices. They should consider modifying those policies and practices to make sure that they provide more specific and meaningful disclosures regarding the parties who will have access to the information and the anticipated uses of the information. As other courts recognize and apply analyses similar to that of the German court in the Apple case, parties who collect personal information will likely be required to provide more specific disclosures regarding privacy and data disclosure practices.