In November 2013, the Berlin District Court ruled that all of the 25 provisions in Google’s online terms of use and privacy policy that had been challenged by the German Federation of Consumer Associations (VZBV) are unenforceable.  In reaching its decision, the court found that German law applies to terms of use and privacy policies to the extent they are directed to German consumers.

Under German unfair contract terms legislation, clauses that contradict main elements of German law and unfairly disadvantage consumers are invalid.  In this respect, the court found that the German Federal Data Protection Act and the Telemedia Act constituted key elements of law to be considered in relation to standard terms, and hence considered these statutes irrespective of the fact that these statutes only apply to organizations established in Germany or using equipment in Germany.  Google has announced that it will appeal the decision, but, if the judgment is upheld, any online terms of use or privacy policy applicable to German consumers could be challenged under German law and in a German forum.

In the case, Google claimed that the unfair contract terms legislation was not applicable because its terms of use and privacy policy do not constitute contracts and the related Google services had been provided free of charge.  The court disagreed, observing that users were required to consent to these terms upon registration or use, and the services were not for “free” because of the commercial value of the personal data collected by Google and subsequently used for marketing purposes.

Among other clauses, the court found the following provisions in the terms of use to be invalid, many of which are relatively standard provisions in U.S. terms of use:

  • Google’s right to unilaterally terminate its services in the case of any breach of its terms of use or policies without prior notice that would allow users to remedy the breach;
  • Google’s right to monitor content for compliance with its policies;
  • Google’s right to alter its services at its discretion;
  • Google’s right to amend its terms of use without further notice or consent; and
  • The (mutual) liability limitation for bodily harm and life, or statutory product liabilities.

The court also found that Google had not obtained valid consent for the collection, use and sharing of personal data via its consent box (“I agree to the use terms and I have read the privacy policy.”).  German law requires that users be informed as to the specific data to be collected and how such data will be used and shared.  Google’s privacy policy, however, provided insufficient detail and relied on blanket statements to describe its rights, for example:

  • Google’s right to collect information (including device-type information) and location data “relating to the services”;
  • Google’s right to share data with organizations that “Google reasonably believes to have a need to know”;
  • Google’s right to share data in the context of a merger;
  • Google’s right to record phone calls without any specific notice;
  • Google’s right to merge data from different platforms without further notice or consent;
  • Google’s limitations on users’ rights to access data provided to Google; and
  • Google’s right to share data with law enforcement agencies without further notice or consent.

The court also objected to the privacy policy’s broad cookie language, including Google’s statement that only “cookies and other anonymous data” are collected by Google.  Cookie IDs and other tracking information were considered by the court to be personal data in this context.

The court’s judgment can be found (in German) here.