German court rules Google privacy policy violates data protection law

Uncategorized

Google has certainly suffered its share of scrutiny from privacy regulators recently.  The company faces financial sanctions in France and Spain for failure to comply with privacy laws.  Now a German court has ruled that as many as 25 provisions in its privacy policy and terms of service violate German data protection law.  The court indicated that the offending provisions were too vaguely formulated, and prevented or restricted consumers from exercising control over their personal data.  13 privacy policy provisions and 12 terms of services provisions were held invalid.

Google, like many other high tech companies, ask consumers to click a box if they agree to its Terms of Service and have read the Privacy Policy.  This approach does not comply with German law, which is much stricter than any of its US counterparts.  German data privacy law requires the consumer to make a more definitive and conscious choice to opt-in to provisions that would allow collection and use of personal data and restrict the consumer’s ability to delete or change its preferences.  The consumer’s consent must be explicit and ongoing.  Google’s vague data privacy and terms of services provisions simply don’t go far enough to satisfy that threshold of continuing control by the consumer.

Google has indicated that it will appeal this decision and a decision from the court of appeal will not likely take place until late 2015.

The Federation of German Consumer Organizations, which brought the case, complained about, among other things, the way Google obtained its right to review and control, change and delete certain types of information, remove applications by directly accessing a device, and adjust functions and features of services completely at will.

Companies collecting personal information should take this as a wake-up call.  Google is not the only company to run afoul of European privacy laws. Both Apple and Samsung have been before the same court and had a number of privacy policy provisions held invalid.   Under proposed EU rules, companies violating the rules, effective as early as June 2014, could face fines of as much as $135 million for violations of the new data protection laws.