Apple in Germany: the potentially long-lasting impact of a short judgment

Until the early days of June, Apple still has time to appeal against a Court ruling that nobody expects the tech company can afford to accept. The Berlin Regional Court in April decided [PDF] Apple's data protection directives were illegal according to German law. The complaint was filed by the Federation of German Consumer Organisations – VZBV, which is also currently suing Google and other US tech companies. Would higher instances uphold the judgment, many tech companies collecting a lot of data would have to react. Will Apple appeal the decision? Yes, says everybody except Apple itself, which did not get back to the Internet Policy Review.

The clauses in Apple's privacy policy guidelines were much too general and vague, data provided for internet services were mixed up with those processed during product orders, the Court declared. Users were very much left in the dark about who would get access to their data, the judgment said. Last, consent to share data of „befriended“ users and members of one's family was incompatible with the general legal principle that prevents agreement by one party to a contract at the expense of a third party.

Onslaught against online business models?

Eight of 15 clauses the VZBV complained against were said to be illegal by the Court. The other seven were already changed pre-emptively by Apple while the case was unfolding (see press release of the VZBV). It is not Apple alone the VZBV tries to push for stricter data protection – and collaterally more choice for consumers.

The VZBV has filed several complaints against Facebook. In 2012 the Berlin Court ruled for example that the „friending“-function was illegal. Facebook has appealed against this judgment. In December, the VZBV filed another complaint against data transfers without explicit user consent over the company's App Store. Cases against other companies are also pending. Consumer protection organisations have joined data protection officials in building a case against the „no privacy“-motto which prevails on the net.

Would the judgment against Apple - which declares a whole set of data privacy clauses of Apple illegal - be confirmed at the highest instance, it would in fact become much easier to compel companies to change respective clauses, says Helke Heidemann-Peuser, Head of the Department Collective Redress at the VZBV in Berlin.

Her association certainly was critical of many contracts for the lack of clarity about the purpose and scope of data collection and data use. “We see a need for much clearer clauses for consumers. We know it is difficult.”

Applicable law?

The most controversial issue with regard to the recent decision is the competency of German law and the Berlin Court. A highly expert discussion on the competency question has spread over blogs of data protection and net law experts. Certainly in earlier cases regarding similar norms Courts have decided otherwise. For example the Higher Administrative Court in the state of Schleswig-Holstein in April ruled it was the Irish authorities that were competent to deal with matters related to Ireland-based Facebook. The competency issue could, one observer wrote, allow Apple to still win. Heidemann-Peuser said: “The complaint stands and falls with the core concept of the German Data Protection law.” EU official communication, including Commission Vice President Viviane Reding's statements from recent years, on judging US companies according to European Union law when they are serving EU citizens brings us to the draft Data Protection Regulation of the European Union.

The EU Data protection regulation – stricter consent rules?

The regulation, which is currently being developed, will create a harmonised data protection law throughout the European Union, from data protection front-runner Germany, to other, less 'protective' countries. Suddenly, the member states would have a materially similar legislation, and it would make no difference whether tech companies are challenged in Ireland or Germany.

Sharpening the theory and practical implementation of informed consent is something pretty high on the agenda of the Data protection review. „Informed Consent“ is the topic of several hundred of the 3133 amendments that are currently processed by the EU Rapporteur of the leading Civil Liberties, Justice and Home Affairs Committee, Jan Philipp Albrecht.

His conservative colleague of the Christian Social Union in Bavaria, Manfred Weber, asked: “Consent shall be purpose-limited and shall lose its validity when the purpose ceases to exist; consent shall also be invalid when the data subject gives his or her consent in a general and abstract way to unspecified and unpredictable forms of data processing.”

Since 1995, Europe obliges firms to get informed consent. "The principle essentially is at the centre of the fundamental right to informational self-determination," wrote a group of well respected law professors in the German-newspaper Die Zeit. Only enforcement has so far been rather weak. Before there will be more clarity on data protection in Europe, there will be several rounds of fist-fighting – in the Courts and between corporate lobbyists. Specifically, the "Apple Case" in Berlin shows that the rationale that there cannot really be privacy on the net will presumably be challenged at every turn in Germany.

For more on the concept of informed consent, please read the analysis articles by Julian Staben: Part I and Part II.