Apple's privacy policy violates German data protection law, Berlin court rules

Apple's privacy clauses are too broadly formulated and therefore violate German law, the court ruled

Apple violates German data protection law by asking for users' broad, overall consent in its privacy policy, the Regional Court of Berlin ruled.

Apple's terms for sharing personal information with the company are too broadly formulated, the court ruled on April 30, according to a verdict published by the Federation of German Consumer Organisations (VZBV) on Tuesday.

The VZBV demanded in 2011 that Apple Sales International should stop using unfair contractual clauses in its privacy policy as posted on its German website, said Helke Heidemann-Peuser, a lawyer and head of the VZBV's legal enforcement section. After this warning, Apple committed to change five of those clauses, but this was not enough, which is why the VZBV decided to sue Apple in February 2012, she said.

After Apple was sued, the company committed to change two more clauses, after which the lawsuit continued over the eight remaining disputed clauses, said Heidemann-Peuser. The court found that Apple violates the law with all those clauses, she added.

In its German privacy policy, which is similar to the one used in the U.S., Apple states for instance that when someone contacts Apple and its affiliates, they may share information about that person with each other. Apple also states that this information may be combined with other information to provide and improve products, services, content and advertising.

This clause violates the law because customers are unaware which data is used and to what extend, the court ruled, according to the VZBV.

Another problematic clause gives Apple the right to collect the information someone provides about friends and family such as name, mailing address, email address and phone number when someone sends a gift certificate or products or invites others to join a user on an Apple forum, Heidemann-Peuser said. This is illegal because Apple would need consent from the third party to process this data, she said.

Apple also states that it may collect, use and share precise location data, including the real-time geographic location of a users' Apple computer or device, in order to provide location based services like advertising on Apple products. The data, as collected, is anonymous, according to Apple's policy. However, when location-based services are used, the data can always be traced back to an individual, according to the court, so this clause was also prohibited.

Apple now needs to change these clauses, said Heidemann-Peuser. "They need to be very specific," she said, adding that Apple needs to ask for users' explicit consent instead of letting them agree to an overly broad privacy policy.

However, the company does not need to do so immediately because Apple can appeal the verdict, which the VZBV expects the company to do.

Apple did not reply to a request for comment.

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, open-source and online payment issues for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to

Join the CSO newsletter!

Error: Please check your email address.

Tags ApplesecurityCivil lawsuitslegalVZBVprivacy

More about AppleIDGLG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts