German Court Rejects Apple's Privacy Policy

redletterdave writes "A German court rejected eight out of 15 provisions in Apple's general privacy policy and terms of data use on Tuesday, claiming that the practices of the Cupertino, Calif. company deviate too much from German laws (Google translation of German original). According to German law, recognized consumer groups can sue companies over illegal terms and conditions. Apple asks for 'global consent' to use customer data on its website, but German law insists that clients know specific details about what their data will be used for and why."

To be fair

[Vombatus]

It must be hard to ensure that every jurisdiction on earth will be happy with everything that you do

Re:To be fair

[gl4ss]

It must be hard to ensure that every jurisdiction on earth will be happy with everything that you do

it's not that hard. just go by the german definition.

Re:To be fair

[Stolpskott]

it's not that hard. just go by the german definition.

But that means that leaving your towel on a sun lounger before breakfast to reserve that sun lounger for your sole use is perfectly acceptable!

As with any other internationalized business, though... either you tailor your offering to match the requirements or lack thereof of local laws in each case, or you put together a "one size fits all" policy that incorporates the strictest interpretation of each element of local legislation in individual countries.
Apple and other international businesses might complain about the complexity of either approach, but that is part of the cost of doing business in an international environment. Suck it up.

Re:

[gl4ss]

it's not that hard. just go by the german definition.

But that means that leaving your towel on a sun lounger before breakfast to reserve that sun lounger for your sole use is perfectly acceptable!

As with any other internationalized business, though... either you tailor your offering to match the requirements or lack thereof of local laws in each case, or you put together a "one size fits all" policy that incorporates the strictest interpretation of each element of local legislation in individual countries.
Apple and other international businesses might complain about the complexity of either approach, but that is part of the cost of doing business in an international environment. Suck it up.

I meant german domestic definitions. What Apple has been going so far quite widely has been the Germans Abroad definitions.

Re:

[PolygamousRanchKid]

As with any other internationalized business, though... either you tailor your offering to match the requirements or lack thereof of local laws in each case, or you put together a "one size fits all" policy that incorporates the strictest interpretation of each element of local legislation in individual countries.

Yes, web sites need to be careful what they show in different countries. For example, a photo in the "Victoria's Secretions" catalog might be harmless in Europe, but get your balls amputated in a Muslim Brotherhood 'hood.

I noticed that WebSphere Portal Server actually has some configuration stuff, so that you can block pages for specific areas.

Re:

[AliasMarlowe]

a photo in the "Victoria's Secretions" catalog

Those photos sound wilder than the ones in the "Victoria's Secrets" catalog...

Re:

[WonkoS]

After all, car makers selling cars in the United States typically will build all of their models to meet California emissions standards, even if they are more strict than the rest of the country. Seems like a similar case.

Re: To be fair

[yacc143]

Well, the problem is that European privacy guidelines are a completely foreign concept to US data collection practices.

Ok, let's detour slightly: A typical US american has a couple of "fundamental rights", and the moment someone threatens them, get up in arms. E.g. most jurisdictions have at least a little weaker Freedom of Speech rights. Now Germany considers Privacy (and a number of related concepts releveant to IT) a fundamental Human right. As in, your data is yours. And by default companies (and even t

Re:

[Gonoff]

It must be hard to ensure that every jurisdiction on earth will be happy with everything that you do

it's not that hard. just go by the German definition.

Or even any civilised one. Look at EU rules for example.

Re:To be fair

[AuMatar]

You don't have to- you only have to make sure its legal in the countries you sell it in. Germans aren't suing because of Apple violating their law in America, they're suing them for violating it in Germany. If you aren't willing to abide by the laws, then don't sell in that country.

Re:To be fair

[gnasher719]

You don't have to- you only have to make sure its legal in the countries you sell it in. Germans aren't suing because of Apple violating their law in America, they're suing them for violating it in Germany. If you aren't willing to abide by the laws, then don't sell in that country.

Germans are not actually suing. They don't need to sue. Parts of Apple's policy have been declared invalid, which means that legally these parts don't exist.

Re:To be fair

[Sockatume]

Given that the invalidated parts give Apple permission to do certain things with the data, Apple now has to stop doing those things, or it will be open to legal action.

I've got this one

[smittyoneeach]

And then governments get the notion to sue, which of course raises messy issues of jurisdiction, discovery, &c.
1. So Apple pays a fine to Germany.
2. Germany bails out Greece.
3. Euro crisis solved. Profit!!!
Screw you, Underpants Gnomes [wikipedia.org]!

GSK

[Frankie70]

USA fined British pharma company GSK 3 Billion Dollars

1. GSK pays a fine to USA
2. Everybody in the USA gets a free Obama Phone, with money left for future Obama Cars, Obama TVs etc
3. US Deficit not solved. No Profit!!!

Re:

[noh8rz10]

Screw you, Underpants Gnomes [wikipedia.org]!

I think people get the meme without a wiki link, thankyouverymuch.

Re:

[smittyoneeach]

And if I'd left off the URL, I'd've gotten the rubber chicken flogging for doing it ronngg.

Re:

[AmiMoJo]

What about historical law-breaking? Generally speaking the onus is on you to make sure what you are doing is legal, not on the authorities to point it out and then give you amnesty for past abuses.

Re:

[HiThere]

That's the presumption in the US, but I'm not sure that it's a good presumption, and I'm not sure it's a globally accepted presumption.

Re:

[thephydes]

I couldn't have said it better - thank you!

Re:

[flimflammer]

Sure, but that's not what's happening. They don't exist in every jurisdiction on earth, just the ones they do business in. Maybe Apple shouldn't do business in countries if it's too hard for them to obey the local laws..?

Re:

[Anonymous Coward]

As a corporation it isn't hard, they just are not willing too. And come on, this is Apple. You think they'd easily give up control?

And, it costs money to have privacy policies updated and policed so they are legal in multiple markets, do they think Apple is made of money?

Re:

[TheP4st]

do they think Apple is made of money?

What is wrong with thinking that? http://paritynews.com/business/item/847-moody-apples-cash-reserve-to-cross-$170-billion-by-2013 [paritynews.com]

Re:

[moronoxyd]

And, it costs money to have privacy policies updated and policed so they are legal in multiple markets

You know what I fear?
That Apple does just what you describe: Change the words of their privacy policies, but don't actually change the processes used to handle data.

Re:To be fair

[gnasher719]

You know what I fear?
That Apple does just what you describe: Change the words of their privacy policies, but don't actually change the processes used to handle data.

But the _words_ of their privacy policy _is_ what was wrong. Nobody in Germany requested Apple to change its policies; they requested that Apple lists precisely what they do so that customers can make an educated decision whether to agree or not.

Re:

[moronoxyd]

No. They expect Apple to follow the law.
The law does not only talk about the wording of your privacy policies, but your actual conduct.

Re:

[Gonoff]

... do they think Apple is made of money?

Not far off. They are certainly made of lawyers which is pretty close.

Re:

[TrollstonButterbeans]

I think you have a fundamental misunderstanding of what is "really" going on.

The harder Germany harasses existing players, the more they cement the well-funded ones like Apple/Google/Microsoft into a position of having an insurmountable barrier to entry.

This doesn't hurt big companies, it makes sure the smaller ones cannot enter the market.

It is a short-term inconvenience for Apple, sure, but a long-term benefit for the top players to have this market locked down in a parade of red tape.

Re:To be fair

[hydrofix]

Err.. The European privacy laws are pretty much common sense. Just consider that people have the right to know what personal information is stored of them. If you are open about what information you collect, you should have no problem. But if you want to obscure what information you collect or collect more information than you openly admit, you are going to have a bad time.

Re:

[Anonymous Coward]

Your analogy sucks.

Apple currently reserve the rights to snatch information that you never intended to send over the Internet form your phone and use it for whatever reasons without telling you.
The German law says that they can't do that without telling you.

Re:To be fair

[soccerisgod]

Strawman. You're not responsible for what happens with the data in transit to you, but you are responsible for a) what data you take from your customer (via app on the phone, for instance, reading out the phonebook) and you are responsible for what you do with the data once it has arrived at your end.

Actually, that's wrong. If you are sending the data from your application on the user's device to yourself, you're also responsible for what happens in transit: You could easily crypt the information.

Re:To be fair

[AmiMoJo]

If you or your system is sending me personal information, then you can assume it's been stored somewhere, multiple times, and will be used for whatever purpose forever, and can't be deleted.

The EU and most member states have strict laws forbidding that. You have to justify storing any personal data, there are limits on what you can do with it, you can't keep it forever and must delete it under certain circumstances.

If it gets transmitted in the clear, consider it stored and used for ANY purpose.

In both the EU and US that would render the intermediate nodes routing the traffic liable for its content. In order to avoid liability they must not use the data in any way, merely pass it along.

It would be like sending a message on a post card then getting mad that people can see what you wrote, copy it, and do whatever they want with the copy.

It is actually illegal to open sealed envelopes not addressed to yourself here. That's why most banks don't send statements on the back of a postcard.

Re:

[xelah]

Just because it's always possible someone is behaving illegally doesn't mean that people should accept this and not use legal means to attack it and those who do it.

It would be like sending a message on a post card then getting mad that people can see what you wrote, copy it, and do whatever they want with the copy.

Or, how about getting mad when you walk down the street without so much as basic body-armour and someone shoots you? None of this excuses illegal behaviour.

You're hopelessly confused

[Sockatume]

The rules in question don't apply specifically to the internet. If you give an organisation your information, and they store it (relaying the information doesn't count), they have to properly represent what that information will be used for. This is to allow the individual to make an informed decision as to whether or not to perform that exchange of information.

Encrypting the information on the way to the organisation doesn't make a blind bit of difference to that, so I'm not sure why you brought that up.

Re:

[Anonymous Coward]

It may come as a shock, but the whole purpose of law it to define a distinction of allowed/disallowed, and this is not the same as possible/impossible.

Re:

[Sockatume]

Quick question: can I simply take your videogames and publish them on the App Store as my own? They're unencrypted and on the internet, so according to you I have the right to use that information as I please.

Re:

[Sockatume]

The information that Apple stores is not a set of publicly available facts.

Re:

[Sockatume]

Your argument is essentially (from reading your previous posts for context), "they did this on the internet, therefore no law applies"?

Re:

[Sockatume]

I expect that you fully endorse this [slashdot.org], then?

Re:

[Teun]

Well, how on Earth could anyone deny them this right? If you or your system is sending me personal information, then you can assume it's been stored somewhere, multiple times, and will be used for whatever purpose forever, and can't be deleted. THAT'S common sense

Maybe it's common sense where you live.
Within the EU it is without mutual agreement distinctly illegal and Germany is part of this EU, we EU citizen expect our privacy to be respected by the companies we get in touch with, even more so by those we do business with.

Re:

[Saint Gerbil]

People are different, laws are local, failing to realise this is bad business.

Its like launching an English website in France, your not going to get a lot of customers.

Re:

[dfghjk]

It's not "everything that you do", it's something specific and it's not hard when you aren't shady.

Re:

[xelah]

That's one reason the EU was created. Must be harder still in the US, with so many states. However, you can probably miss some jurisdictions. You probably only need to worry about those places you have a presence, plus maybe the local bullies (eg, the US in much of the 'West', possibly Russia if you're somewhere like Ukraine or Belarus). A western Internet company which isn't targeting or operating in China probably doesn't need to care about Chinese laws.

Germany and proteciton of privacy.

[fazig]

With organisations like the StaSi and GeStaPo in more recent German history, the protection of the individual's privacy is a serious issue in Germany.
Now and then politicians try to create another surveillance state for example to fight "child pornography", but fortunately they haven't succeeded to enact their crazy laws so far.

Re:

[Anonymous Coward]

What a strange thing to say. It's good that Germany rejects Apple's user subjugating privacy policy quite regardless of anything else.

If anything, corporations will care even less for your privacy. If you have revelations about the German state, feel free to submit a news item...

Re:

[Anonymous Coward]

Neat defense of Google 'they're bad, but not as bad as the Stasi'

Re:

[fazig]

The German state already intrudes deeply into people's personal lives. On the other hand, in the guise of protecting "privacy", it prevents private organizations from verifying or monitoring its data collection, and it refuses to disclose what it has, how it is using it, or how it is operating.

Please elaborate.

Re:

[Lonewolf666]

Actually, there is some state intrusion, but it may be worse in the US:
http://yro.slashdot.org/story/13/05/05/2329240/former-fbi-agent-all-digital-communications-stored-by-us-govt [slashdot.org]
In Germany, the current government seems to be really eager to install a similar level of surveillance, but the Bundesverfassungsgericht (special court for constitutional issues) has killed the last law that was introduced to make ISPs collect data and keep them available for the authorities.

Right now the next round has been starte

Re:

[Savage-Rabbit]

With organisations like the StaSi and GeStaPo in more recent German history, the protection of the individual's privacy is a serious issue in Germany.

Notice the "Sta" in those organizations, as in "state"? Privacy in Germany has always been a problem of state intrusion into individual lives, and that is still rampant in Germany and voters largely don't care.

All this beating up on Google and Apple is a smokescreen to deflect from the horrible state of privacy in Germany.

Now and then politicians try to create another surveillance state for example to fight "child pornography", but fortunately they haven't succeeded to enact their crazy laws so far.

The German state already intrudes deeply into people's personal lives. On the other hand, in the guise of protecting "privacy", it prevents private organizations from verifying or monitoring its data collection, and it refuses to disclose what it has, how it is using it, or how it is operating.

Ok, firstly the Stasi is history so don't try to smear it all over contemporary issues to make some sort of point that only makes sense to a neo-cnoservative mind, there are very few people here who watch FoxNews or whatever the German equivalent of that sewage pump may be for any other purpose than to amuse themselves. Secondly, if you are going to accuse the German state of gross privacy violations name concrete examples (read: more than one) and provide details.

Re:

[Sockatume]

Actually the same EU data protection rules that apply to private companies apply to governmental organisations. In the EU in general, the organisations most frequently targetted for data protection and freedom of information breaches are public ones.

Re:

[Anonymous Coward]

The problem is that the USA have the power to spread their mistakes to a large part of the world.

Local laws vs. international standards

[DNS-and-BIND]

I'm experiencing cognitive dissonance; can anyone help me out? This seems to be cheered by posters who say that national laws are a good thing and foreigners should be forced to bend their knees whenever there is a conflict. However, in previous stories I have heard precisely the opposite: local standards are for ignorant redneck bullies who are too stupid to realize that their hillbilly local ordnances should be harmonized with international standards [slashdot.org]. Please reconcile.

I've no time to check, but ....

[Robert Frazier]

It would be interesting to know whether there is anyone who holds both of the following positions.

1. The German finding is unfair to Apple because Apple, quite reasonably, shouldn't be required to follow the law of every land in which it does business..
2. Criticising Apple for caving in to the censorship requirements of the Chinese government is unfair to Apple because Apple, quite reasonably, should be required to follow the law of every land in which it does business.

Best wishes,
Bob

Re:

[silentcoder]

If you put it like that - it's not possible, however I do hold the both those views - only each have an ammendment you didn't consider "provided they are in line with the international agreement on human rights".

As a general rule (though aside from that) I believe that whenever a company does business in another country, it should be compliant with the laws of BOTH it's parent country AND the one it operates in except where those are contradictory to the point where following one would violate the other (t

Re:

[dragonsomnolent]

A quick google search turned up that yes, indeed you do have to follow some laws of the US when travelling abroad. I believe the underage sex one is one of the biggies (I've heard rumors that drug use is another, but I can't find anything to confirm it).

Re:better idea

[AuMatar]

Why should it be on the people? If the company doesn't want to follow their laws, they shouldn't sell their stuff in that country. By choosing to operate in Germany, they have to follow German laws for products sold in that country. Don't like it, decide not to sell there.

Re:better idea

[Anonymous Coward]

The injustice here isn't to Apple, it's to other potential customers. One group of people is needlessly imposing their views of privacy on another group; instead of saying "I don't like Apple's privacy terms, so I don't use them", they say "I don't like Apple's privacy terms, so I am going to prevent you from using them as well".

Wrong. German law says that what Apple is doing is illegal, so they have to stop or they are going to be fined. And please read again what this issue is about. Apple can very well collect personal data and provide services that use them, they just have to inform customers what they are collecting and for what purpose, so the customers can make an informed decision. Their current privacy policy basically says: "We collect whatever data we want, we do whatever we want with it and reserve the right to share it with anybody". That is simply not allowed and has to change, so please enlighten us where you see any injustice.

Re:better idea

[Anonymous Coward]

You need to forgive him. He is American, and over there laws only apply to regular people. Not to companies, and especially not to the rich (and Apple is both of those).

Companies can ignore the law all they want, and if someone disagrees, he can stop buying their product.

The whole concept of the law applying equally to everybody is foreign to them. Not that it always work that way in Europe, but it works often enough that we are used to the concept, and don't start arguing against it when it does work.

Re:

[Anonymous Coward]

However, you fuckers need to get bent if you think it's actually possible to comply with those laws at a technical level.

I am sure Apple devices sold in Germany are very identifiable as devices sold in Germany by Apple. I am sure each device has a unique id. It is not a technical problem to filter wich devices can collect which information but more of a problem of the will to comply with local laws.
All companies will try the shortcuts first before they are told to go the long way around.
It is about business efficiency. (saving a buck if you can)

Re:

[Anonymous Coward]

However, you fuckers need to get bent if you think it's actually possible to comply with those laws at a technical level.

The iTunes store is very good at identifying and limiting access to country specific content, IMHO it is not a technical problem to comply to country specific terms and conditions.

Re:

[JonJ]

Apples Global Service Exchange is quite accurate with regards to country of origin for their products with serial numbers.

Re:

[Sockatume]

Funnily enough if I want to do business in a public space I have to properly represent what I am doing there, or I can get done for misrepresentation.

Re:

[Elldallan]

Laws do not have to be possible to comply with or even logical, you still have to obey them the same. If complying with privacy laws concerning handling and collecting of sensitive data is impossible or prohibitively expensive the answer is easy, don't collect or handle the data at all, problem solved.
You can't just keep going in the same old track and claim that complying with the law is impossible or prohibitively expensive so you won't bother complying.

Only when the government requires you to do thing

Re:

[drinkypoo]

Apple is just covering their ass

Uh no. Apple did nothing to cover their ass here, and that's why it's about to get bitten. They did not even attempt to cover their ass. They have to tell you what they (not unauthorized intermediate parties, you bullshit prevaricator) are doing with the data, and they aren't doing that. If anyone they're contracting can't tell them what they are doing with the data, then it's gross incompetence and possibly malfeasance as well to share data with them.

Re:

[Ardyvee]

So in theory they could write: We're going to sell it/share it with [company], and be on the clear? Or am I thinking too little and the other company would also have to state what they do with such personal information?

Re:

[Sique]

Actually yes. The other company has to expressively state what they will use the information for. And they are not allowed to use if for anything the customer has not agreed on. And that's Apple's problem here. They actually can't tell what their contract partners will use the information for, so they can't tell their customers, as they are required by law to do. So either they don't collect the data, or they make a better job at explaining to the customer what the data is used for before collecting it.

Re:

[ais523]

There's a similar law in the UK, and companies generally comply with the letter. (Although I've seen some interesting ways of working around the spirit; one form I saw asked for permission to use the information in a variety of ways, which were opt-ins and opt-outs more or less at random, so you had to read it carefully to determine which boxes to tick.)

Re:

[moronoxyd]

This is a strawman argument.

The ruling is not about connection data like IP addresses needed to establish connections.
This is about the data that Apple collects outside of that: email addresses, contacts, geolocation.

If I use, say, iCalendar, obviously I allow Apple to collect and save the data of my appointments. But before Apple can share this data with third parties, they have to tell me which third parties and what data. This isn't 'the privacy policy of the internet at large'. This is Apples (and Goog

Re:

[Ardyvee]

Wait. Enlighten me. You mean I can't write the next: I'll store all personal information you send me. I may sell it, analyze it, share it, simply store it, change it, format-shift it, clean my *** with it, laugh at it, preserve it as my most dear possession, etc? You mean I can't do that?

Because it seems to me that is quite clear on the intent of the company: I may use it for anything. Or you mean companies would have to add to their TOS that they may use it for: [insert long list of things], and update it

Re:

[Teun]

Indeed, companies have a duty of respect to their customers, that's you and me first, not their business partners.

Such respect is very good if not essential for all involved.

Re:

[HiThere]

Actually, IIUC, even documenting what they do wouldn't help Apple much, as then they would be admitting to breaking the law. (That's not in the court decision, that's in Apple's mode of business.)

In particular, it is my understanding that it is illegal for Apple to collect information in Germany and transmit it to a location where the laws don't "adequately" protect the information. Like the US. And that that's one of the things they do.

So, IIUC, this court decision is a requriement that they document th

Re:better idea

[Eunuchswear]

Why should it be on the people? If the company doesn't want to follow their laws, they shouldn't sell their stuff in that country.

It should be "on the people" because some people may not have a problem with policies and may want to do business with Apple anyway.

Absolutely. Everyone should be free to decide which bit of the law of the land they want to follow.

I, for example, can't see why we are not allowed to burn glibertarians in the public parks.

Re:better idea

[moronoxyd]

It should be "on the people" because some people may not have a problem with policies and may want to do business with Apple anyway.

What's your point?
The basis of the complaint was, that Apple is not transparent about what it does with the data collected.
If they are transparent about it and tell the users what exactly thy are going to do with the data BEFORE any data is collected, they're basically fine.
And then the users who are fine with can use those services.

But Apple, like many other companies, wants to have the right to do anything without telling what they do.

The European data protection laws lay the groundwork for users to be able to decide freely what services to use and what not.
The basis for a free decision is INFORMATION.

Re:

[Rockoon]

But Apple, like many other companies, wants to have the right to do anything without telling what they do.

Hate to be a defender of Apple, but you just took shit out of your butt and added it to the argument.

The issue is that they arent telling what they do, not that they "want to have the right to do anything." These things are not mutual, so you don't get to argue as if they were.

Is it really so hard to stick to the substance here? Seriously.. it isn't... you could bash apple for a week without having to pull shit out of your ass, so why are you pulling shit out of your ass? Every time you reach for your

Re:

[moronoxyd]

But Apple, like many other companies, wants to have the right to do anything without telling what they do.

Hate to be a defender of Apple, but you just took shit out of your butt and added it to the argument.

The issue is that they arent telling what they do, not that they "want to have the right to do anything." These things are not mutual, so you don't get to argue as if they were.

You quoted the relevant sentence of me. Can you read the last five words of it? They are 'without telling what they do'

So yeah, I did stick to the substance: They want to have the right to do anything WITHOUT TELLING WHAT THEY DO.

Stop reading sentences halfway through, please.

Re:

[Rockoon]

They want to have the right to do anything WITHOUT TELLING WHAT THEY DO.

OK I'll take what you said in its entirety at face value, without any use of rationalization to extract truth from your statement. Now there is no truth at all, because the claim you are making is false.

Anything' includes the entire set of things within imagination.

Either you want me to treat you as a sloppy statement maker that needs to be parsed with the obvious deficiencies of your vocabulary selection segregated from the rest of the stuff that you say, or you want me to presume that you arent such

US tendency to data permissiveness

[Sockatume]

It's more likely that Apple probably has very specific uses in mind for the data, but the US is an anomalously permissive environment with regards to how people's data can be handled and therefore it never occurred to them to enumerate their intended uses.

Re:

[HiThere]

You are assuming that their current business practices are otherwise in accordance with German law. I have a very strong doubt that this is the case. So to me this sounds like a requirement that they admit that they are breaking the law. But not documenting what they are doing is also breaking the law.

(In particular, I believe that it is illegal under German law for non-anonymized data to be sent from Germany to the US, due to the US lacking acequate safegards against abuse of personal information. I co

Re:

[Sique]

That's exactly what was wrong here. Apple didn't put enough information in the privacy policy to allow the customers to make an informed guess if they like it or not.