Privacy Advisor

GERMANY—Berlin Court Declares Apple’s Privacy Rules Void

June 1, 2013

By Flemming Moos

On April 30, the Regional Court of Berlin handed down a not-really-convincing judgment in which it declared eight provisions in Apple’s privacy rules null and void. The court argues that the provisions in Apple’s privacy policy would violate German laws regarding Standard Business Terms because they would fail the test of reasonableness. According to this test, Standard Business Terms are invalid if, contrary to the requirement of good faith, they unreasonably disadvantage the other party to the contract with the user—which is to be assumed if a provision is not compatible with essential principles of the statutory provision from which it deviates.

In this respect, the judges held that the eight provisions would deviate too far from the German data protection rules enshrined in the Federal German Data Protection Act and the Telemedia Services Act.

The ruling is not well-founded in two aspects. Firstly, it seems very doubtful whether material German data protection laws apply at all. The court has not addressed this issue, although this was indicated because defendant was Apple Sales International with its business seat in Ireland. In the case against Facebook Ireland, the Schleswig-Holstein Administrative Court of Appeals decided on April 22 that the data processing by Facebook in relation to German users is not subject to German but only Irish data protection law. This goes back to binding provisions stemming from EC Directive 95/46/EC, according to which a member state shall not apply its national provisions that it adopts pursuant to the EC Directive in case the data processing is carried out by a controller on the territory of another member state.

Secondly, the court misinterpreted the German data protection rules. In particular, the court assumed that the provisions contained in Apple’s privacy policy would be a part of a declaration of consent in terms of Sec. 4, 4a Federal Data Protection Act. If one looks at the wording of the provisions and how they are included into the contract with the user, this seems doubtful because no consent language is used. Therefore, it appears that the provisions relating to the collection and processing of user data are rather a description of Apple’s data handling activities for the performance of the contract between Apple and the user. As far as these data processing activities are necessary for the performance of the contract, consent of the user would not be required.

Consequently, just looking at the legal reasoning, it would be a surprise for Apple not to seek an appeal of the decision.

Flemming Moos is a partner at Norton Rose in Germany and a certified specialist for information technology law. He chairs the IAPP KnowledgeNet in Hamburg and can be reached at flemming.moos@nortonrose.com.