Apple violates German data protection law by asking for users' broad, overall consent in its privacy policy, the Regional Court of Berlin ruled.
Apple's terms for sharing personal information with the company are too broadly formulated, the court ruled on April 30, according to a verdict published by the Federation of German Consumer Organisations (VZBV)A on Tuesday.
The VZBV demanded in 2011 that Apple Sales International should stop using unfair contractual clauses in its privacy policy as posted on its German website, said Helke Heidemann-Peuser, a lawyer and head of the VZBV's legal enforcement section. After this warning, Apple committed to change five of those clauses, but this was not enough, which is why the VZBV decided to sue Apple in February 2012, she said.
After Apple was sued, the company committed to change two more clauses, after which the lawsuit continued over the eight remaining disputed clauses, said Heidemann-Peuser. The court found that Apple violates the law with all those clauses, she added.
In its German privacy policy, which is similar to the one used in the U.S., Apple states for instance that when someone contacts Apple and its affiliates, they may share information about that person with each other. Apple also states that this information may be combined with other information to provide and improve products, services, content and advertising.
This clause violates the law because customers are unaware which data is used and to what extend, the court ruled, according to the VZBV.
Another problematic clause gives Apple the right to collect the information someone provides about friends and family such as name, mailing address, email address and phone number when someone sends a gift certificate or products or invites others to join a user on an Apple forum, Heidemann-Peuser said. This is illegal because Apple would need consent from the third party to process this data, she said.
Apple also states that it may collect, use and share precise location data, including the real-time geographic location of a users' Apple computer or device, in order to provide location based services like advertising on Apple products. The data, as collected, is anonymous, according to Apple's policy. However, when location-based services are used, the data can always be traced back to an individual, according to the court, so this clause was also prohibited.
Apple now needs to change these clauses, said Heidemann-Peuser. "They need to be very specific," she said, adding that Apple needs to ask for users' explicit consent instead of letting them agree to an overly broad privacy policy.
However, the company does not need to do so immediately because Apple can appeal the verdict, which the VZBV expects the company to do.