Privacy & Cybersecurity Law Blog

On April 30, 2013, the regional court of Berlin enjoined Apple Sales International, which is based in Ireland, (“Apple”) from relying on eight of its existing standard data protection clauses in contracts with customers based in Germany. The court also prohibited Apple’s future use of such clauses.

Apple used these clauses, which are summarized below, in terms and conditions for its online store as well as in its privacy policy. The court held that the clauses violated various provisions of Germany’s Civil Code, the Federal Data Protection Act, the Telemedia Act, the Telecommunications Act and the German Act Against Unfair Competition. Before the court issued its judgment, Apple had already agreed not to use seven of its other standard data protection clauses.

The case, which was brought by a consumer rights group, is important because the court interpreted the relevant data protection clauses in accordance with German data protection law rather than Irish data protection law. A similar issue was recently the subject of another judgment, although with a different outcome.

Notably, the court held that for the purposes of German data protection law, even “anonymized” location data can, in certain circumstances, constitute personal data. It also ruled that a pre-checked box by which the customer “opted in” to receive advertisements violated Germany’s Act Against Unfair Competition.

The clauses analyzed by the regional court of Berlin concerned:

• the sharing of personal data within Apple’s group of companies and the combination with other data to offer services, content or advertisements;
• the use and sharing of personal data relating to the customer’s family and friends;
• the use of personal data in the context of product announcements, software updates and events, as well as in the context of service, content or advertisement improvement;
• the use of personal data to develop, offer and enhance services, content and advertisements;
• the use of personal data for internal purposes such as data analytics and research to improve products, services and customer communications;
• the sharing of personal data with third parties in the context of serving or improving advertisements;
• the sharing of personal data with third party subcontractors in the context of data processing services, customer data management, evaluation of customer interest, customer research and surveys; and
• the collection and use of location data by Apple and its service providers in the context of location-based products.

The court’s judgment can still be appealed and is not yet binding.