Google’s privacy policy and terms of service violate German data protection law, the Regional Court of Berlin ruled Tuesday.
The clauses are too vaguely formulated and can restrict the rights of consumers, said the Federation of German Consumer Organisations (VZBV), which brought the case.
The VZBV complained about 13 privacy policy clauses and 12 terms of service clauses, all of which were ruled invalid, VZBV’s policy officer for legal enforcement, Bianca Skutnik, said on Wednesday.
Google said it would appeal the decision. “We believe our Terms of Service and privacy policy comply with all applicable laws,” a Google spokesman said in an emailed statement.
If the verdict is upheld, it could have far-reaching implications for Google.
“When it is final Google will have to change a lot, change its privacy policy and terms and conditions,” Skutnik said. But the federation will have to be patient: “If we’re lucky the court of appeal will make a decision by the end of next year,” she said.
Google’s approach of asking users to check a box saying they agree to its Terms of Service and have read the privacy policy does not comply with German law, the VZBV said. The formulations used by Google are overly broad and need to be more specific, according to the federation.
Among the parts of Google’s German privacy policy that VZBV considers problematic are clauses where Google says it may collect device-specific information; may collect and process information about a user’s location, and may combine personal information from one service with information from other Google services.
Google also reserves the right to collect, analyse and process personal data further without the need for the user to give explicit consent, VZBV said, adding that it is unclear to consumers to what exactly they are giving their consent.
Besides ruling some clauses unlawful, the court also ruled that 12 clauses restrict the rights of consumers, the VZBV said. It had complained about the way Google its right to review and control, change and delete certain types of information, remove applications by directly accessing a device, and adjust functions and features of services completely at will.
The federation also complained that Google failed to explain what it meant by “reasonably possible” when it said users will be informed in advance about service changes when reasonably possible. It also said users were unreasonably disadvantaged when Google reserved the right to change the terms of service without asking their consent.
The same clauses are used in other Google privacy policies around the world.
The VZBV has been targeting the policies of large corporations since 2012. In May, the same Berlin court ruled that Apple violates German data protection law by asking for broad, overall consent in its privacy policy. It targeted Samsung Electronics too, and In June the Regional Court of Frankfurt am Main ruled 12 clauses in that company’s Terms of Service invalid.
Google’s latest privacy policy has been a point of dispute across Europe. The company faces financial sanctions in France because it failed to comply with French data protection laws. Privacy authority CNIL has issues with several Google policies, in particular how Google informs users about data that it processes and how it obtains consent from users before storing tracking cookies.
Similar action has been taken in Spain. In Germany, the Hamburg Commissioner for Data Protection and Freedom of Information began a formal action against Google in July over changes that were made to its privacy policy last year.