Getting to the Core of the Apple Judgment
A recent Regional Court of Berlin judgment caused consternation amongst Privacy Counsels as Apple´s Privacy Policy was judged non-compliant with German Data Protection law. The court banned eight
A recent Regional Court of Berlin judgment caused consternation amongst Privacy Counsels as Apple´s Privacy Policy was judged non-compliant with German Data Protection law. The court banned eight clauses even after Apple, in an out-of-court undertaking with the claimant (a German consumer protection association) prior to the judgment, agreed to remove seven clauses. Supporters of the judgment seemed to outnumber critics as debate focused on the following three key points:
The Question of Applicability
The most contested legal point concerned the applicability of German data protection law on Apple´s Privacy Policy. The Berlin court affirmed that under Art. 6 (1) Rome-I, the law of the Member State applies according to the location of the consumer. However, applicability is by no means a cut and dried issue as shown by the Facebook judgment where the Schleswig-Holstein court stated that the service would be subject to Irish data protection regulation. The Schleswig-Holstein court argued that Sec. 1 (5) of the German Data Protection Act, which states that if the controller has an establishment in another EU Member State other than Germany then the law of the other Member State applies, would be an "overriding mandatory provision" within the meaning of Sec. 9 (2) of the Rome-I Regulation. Although the Berlin court may have had strong arguments to counter the Schleswig-Holstein court's position, its failure to communicate them was at best, lacking in transparency, and, at worst, sloppy judicial decision-making.
The Merits of the Case
On the case's merits, the court granted the claim in full and, in doing so, provided scant reasoning. The judgment was based on an interpretation of each clause that is most disadvantageous for the consumer. In this regard, the court departed from the appropriate viewpoint of the "average consumer without legal education" to adopt the position of the "most naive customer imaginable". The court also held that location data, even where anonymized, must always be regarded as personal data – a reasoning that can only be explained with a blatant misunderstanding of the way location based services work.
Apple will likely appeal the decision and, if it does, there is a good chance that the judgment will be overturned on certain points. Nevertheless, other criticisms of the court do have merit such as the fact that Apple's Privacy Policy, in keeping with most policies in the market, lacks transparency and that the Privacy Policy does not sufficiently distinguish which category of data is subject to which purpose of use. Given the ambiguity rule, the court correctly assumes that this could be understood as a blanket license.
Impact of the Judgment
The question of whether or not German Data Protection law is applicable in cases like these is becoming a more prominent legal debate. The Berlin court has now made clear that it is not willing to follow the position of the Schleswig-Holstein court. The resulting debate has just begun, and it must be assumed that the Federal Court of Justice or the European Court of Justice will have a future say.
The court´s criticism of transparency should be taken very seriously since it is a key principle upheld by German courts and by the EU. The Berlin judges also switched the focus from completeness to comprehensibility/clarity and questioned the framework used by most market players due to its sheer ambiguity.
The judgment further highlighted two key points: the growing irritation in German courts about the privacy practices of international actors in Germany and the strategy of German consumer protection associations and DPAs to go after the big players for impact and publicity. This combination makes it critical for businesses in Europe to consider the German position when drafting their privacy-related processes and documentation.
- The Berlin court supported the applicability of German Data Protection law on controllers in another EU Member State on the basis of Art. 6 (1) of Regulation 593/2008 ("Rome-I");
- The Berlin court questioned the transparency of the standard Privacy Policy framework; and
- The Berlin court viewed anonymised location data as personal data.
The Question of Applicability
The most contested legal point concerned the applicability of German data protection law on Apple´s Privacy Policy. The Berlin court affirmed that under Art. 6 (1) Rome-I, the law of the Member State applies according to the location of the consumer. However, applicability is by no means a cut and dried issue as shown by the Facebook judgment where the Schleswig-Holstein court stated that the service would be subject to Irish data protection regulation. The Schleswig-Holstein court argued that Sec. 1 (5) of the German Data Protection Act, which states that if the controller has an establishment in another EU Member State other than Germany then the law of the other Member State applies, would be an "overriding mandatory provision" within the meaning of Sec. 9 (2) of the Rome-I Regulation. Although the Berlin court may have had strong arguments to counter the Schleswig-Holstein court's position, its failure to communicate them was at best, lacking in transparency, and, at worst, sloppy judicial decision-making.
The Merits of the Case
On the case's merits, the court granted the claim in full and, in doing so, provided scant reasoning. The judgment was based on an interpretation of each clause that is most disadvantageous for the consumer. In this regard, the court departed from the appropriate viewpoint of the "average consumer without legal education" to adopt the position of the "most naive customer imaginable". The court also held that location data, even where anonymized, must always be regarded as personal data – a reasoning that can only be explained with a blatant misunderstanding of the way location based services work.
Apple will likely appeal the decision and, if it does, there is a good chance that the judgment will be overturned on certain points. Nevertheless, other criticisms of the court do have merit such as the fact that Apple's Privacy Policy, in keeping with most policies in the market, lacks transparency and that the Privacy Policy does not sufficiently distinguish which category of data is subject to which purpose of use. Given the ambiguity rule, the court correctly assumes that this could be understood as a blanket license.
Impact of the Judgment
The question of whether or not German Data Protection law is applicable in cases like these is becoming a more prominent legal debate. The Berlin court has now made clear that it is not willing to follow the position of the Schleswig-Holstein court. The resulting debate has just begun, and it must be assumed that the Federal Court of Justice or the European Court of Justice will have a future say.
The court´s criticism of transparency should be taken very seriously since it is a key principle upheld by German courts and by the EU. The Berlin judges also switched the focus from completeness to comprehensibility/clarity and questioned the framework used by most market players due to its sheer ambiguity.
The judgment further highlighted two key points: the growing irritation in German courts about the privacy practices of international actors in Germany and the strategy of German consumer protection associations and DPAs to go after the big players for impact and publicity. This combination makes it critical for businesses in Europe to consider the German position when drafting their privacy-related processes and documentation.