German court chides Google over its vague privacy policy and terms

Google(S goog)’s privacy policy is too vague, the Berlin regional court has ruled, upholding a complaint made by the Federation of German Consumer Associations (VZBV) in July 2012. The judgement is not yet final, though, and Google says it will appeal.

The VZBV had pointed out that that Google’s privacy policy was less than clear about what users could expect to happen with their data – Google “may” capture location data and “may” mix-and-match data from its various services, for example. Consumers are expected to give their consent to all this, but they can’t be certain what it is they’re consenting to.

The consumer rights group, which has successfully taken on the likes of Facebook(s fb) as well as Google itself in the past, was also irked that Google reserves the right to change its terms and provisions unilaterally, without further consent from the user. On Tuesday, the court agreed, ruling that a whopping 25 clauses in Google’s terms of use and privacy policy were unlawful.

A Google spokesman said late Tuesday that the company would appeal, arguing that its terms and privacy policy are indeed lawful. If Google loses its appeal and doesn’t change the clauses, it could face fines of up to €250,000 ($338,500) per violation, which in this case means per clause.

According to the VZBV, Google has maintained that consumer advocates should not be able to sue over privacy policies as these do not fall under the category of “terms and conditions” (consumers have to agree to terms and conditions, but only say they’ve read the privacy policy). The advocacy group wants the new coalition government, the formulation of which is currently being negotiated, to fix that part of the law.

In case you’re wondering how this judgement came through covering 13 privacy policy clauses as well as 12 terms-and-conditions clauses, if the law says privacy policies aren’t actionable in the same way as terms and conditions are, then join the club. VZBV itself doesn’t know yet, as the court has not yet published its rationale, but a spokeswoman for the organization told me it may be because Google deliberately split off certain terms into the privacy policy in order to protect itself.

Google unified its privacy policies at the start of 2012 to allow it to do things like having Google Search pick up on the user’s YouTube activity. Europe’s data protection officials are not pleased about this.

This post was updated at 3.20am PT to explain technicalities of the case.