A Berlin court ruled that eight clauses in Apple Sales International's (“Apple”) standard data use policy, which covers how the company can share data, do not comply with Germany’s privacy protection laws and enjoined Apple, which is based in Ireland, from relying on these clauses in contracts with customers based in Germany. The court also prohibited Apple’s future use of such clauses.
At the heart of the ruling was Apple’s request for global consent to use customer data. The German court held that Apple was prohibited from asking for global consent to use consumer data without informing the user of where and how the data will be used. The court also prohibited Apple from merging user data with other information the company had collected on the grounds that consumers might be unclear as to how such data could be used and that Apple could not share location data with its partners to promote its location-based services and products.
Apple asks for “global consent” to use customer data on its website, but German law requires that consumers be advised in specific detail what their data will be used for and why. A company in Germany may not even ask for permission to use names, addresses, and phone numbers of users’ contacts. Accordingly, a global consent policy is violative of German law.
The action, which was brought by a consumer watch dog group, is important because the court interpreted Apple’s data protection policy under German, rather than under Irish law, the jurisdiction in which Apple is located. Thus, while the ruling only applies to Germany and German users, all companies with websites collecting information from users in Germany, no matter where located, should pay attention to this decision.