Apple store employees accused of having accessed and shared female customers’ photos.

According to the Australian newspaper, The Courier-Mail, there have been reports of employees in the Apple Store in Carindale near Brisbane, Australia secretly having taken close-up and ‘explicit’ photos of female employees and customers. These photos were then shared to a group chat with other staff members and rated on a scale from 1 to 10. What’s more, a Genius Bar employee was  allegedly caught copying intimate photos from iPhones customers had brought in for repair.

Employees fired. No evidence found.

Apple stated that there was no evidence of customer data or photos having been inappropriately transferred, nor of customers having been photographed by employees. The tech company meanwhile confirmed that several employees have had their employment terminated as a consequence of violating Apple’s business conduct policy, specifying:

“Apple believes in treating everyone equally and with respect, and we do not tolerate behavior that goes against our values.“

While it seems surprising that Apple should terminate the services of these employees when no evidence of any wrongdoing has been found, from a European point of view the question that comes to mind is whether the alleged transgressions –if true– might be more than just a violation of Apple’s policy. What does this mean for the customers’ privacy rights and could this employee behavior even constitute a criminal offense?

What if this had happened in – say Germany?

As to accessing photos stored in the iPhones customers brought in for repair, one could think of Sec. 202a German Criminal Code (StGB). This provision deals with data espionage and penalizes unauthorized access to data on secured devices by overcoming the access control measures. In the case at hand, the devices brought in for repair were at that moment no longer secured against unauthorized access, as the technician would need to have been granted access in order to carry out the service. The alleged action would therefore not constitute a criminal offense under that provision. Accessing and sharing customers’ photos could however constitute a criminal offense according to Sec. 201a para. 2 German Criminal Code (StGB). According to this provision, it is a criminal offense to make accessible to a third person without authorization another person’s picture that might considerably harm that person’s reputation. This means that, depending on the kind of picture, the reported activity could constitute a criminal offence according to German law.

With regard to clandestine picture taking and sharing of those pictures in a group, under German law, this might constitute an infringement of Sec. 22 German Art Copyright Act (KUG). According to that provision, photographs of a person may only be taken and distributed with that person’s consent. If indeed customers and employees were photographed and these photos were then shared to a group, this would fall within the scope of aforesaid legal provision.

No statutory definition of privacy in Australia

Australian common law does not recognize any general legal right to privacy (Victoria Park Racing and Recreation Grounds Co Ltd v. Taylor) and it is unclear whether it recognizes tort in violation of privacy. In their Report 123 on Serious Invasions of Privacy in the Digital Era, the Australian Law Reform Commission (ALCR) recommended that a statutory clause of action for serious invasions of privacy should be contained in a new, stand-alone Commonwealth Act. The report has been tabled on September 3, 2014 and is awaiting a response from the Australian Government.

The Australian Data Privacy Act 1988, which applies to government agencies and some private sector organizations, regulates the collection, use, storage and disclosure of personal information. While an individual’s photograph regularly will constitute personal information, a person’s consent is usually not required for their photo to be taken unless it is intended to be used commercially.

Statement of the Australian Privacy Commissioner

The Australian Privacy Commissioner, Timothy Pilgrim, is looking onto the allegations and considers making inquiries with Apple to seek further information while commenting, that “this is an important reminder that all organizations that collect and manage personal information need to embed a culture of privacy and ensure employees understand their responsibilities”. Pilgrim further recommended that organizations take reasonable steps to protect the personal information they hold.

What does the story teach us?

Not only is this a reminder to organizations but also to every one of us to be very careful about which information we store on a device that we may need to hand over for service to another person who will have access to that information. Unless you are in the unfortunate situation of not being able to access any information on your device, you should always make a backup of all data and then delete it from your device before sending it in for repair.