Google’s privacy policy and terms of service violate German data protection law, the Regional Court of Berlin ruled Tuesday. The clauses are too vaguely formulated and can restrict the rights of consumers, said the Federation of German Consumer Organizations (VZBV), which brought the case..

The VZBV complained about 13 privacy policy clauses and 12 terms of service clauses, all of which were ruled invalid, VZBV’s policy officer for legal enforcement, Bianca Skutnik, said on Wednesday.

The decision could have far-reaching implications for Google, although it can still appeal the ruling.

“When it is final Google will have to change a lot, change its privacy policy and terms and conditions,” Skutnik said. But the federation will have to be patient: “If we’re lucky” the court of appeal will make a decision by the end of next year, she said.

ToS? TSOL

Google’s approach of asking users to check a box saying they agree to its Terms of Service and have read the privacy policy does not comply with German law, the VZBV said. The formulations used by Google are overly broad and need to be more specific, according to the federation.

Among the parts of Google’s German privacy policy that VZBV considers problematic are clauses where Google says it may collect device-specific information; may collect and process information about a user’s location, and may combine personal information from one service with information from other Google services.

Google also reserves the right to collect, analyze and process personal data further without the need for the user to give explicit consent, VZBV said, adding that it is unclear to consumers to what exactly they are giving their consent.

Besides ruling some clauses unlawful, the court also ruled that 12 clauses restrict the rights of consumers, the VZBV said. It had complained about the way Google its right to review and control, change and delete certain types of information, remove applications by directly accessing a device, and adjust functions and features of services completely at will.

The federation also complained that Google failed to explain what it meant by “reasonably possible” when it said users will be informed in advance about service changes when reasonably possible. It also said users were unreasonably disadvantaged when Google reserved the right to change the terms of service without asking their consent.

The same clauses are used in other Google privacy policies around the world.

Google did not immediately reply to a request for comment but will reportedly appeal the verdict, according to a statement shared with German media.

The Berlin Regional Court did not immediately respond to a request for comment.

The VZBV has been targeting the policies of large corporations since 2012. In May, the same Berlin court ruled that Apple violates German data protection law by asking for broad, overall consent in its privacy policy. It targeted Samsung Electronics too, and In June the Regional Court of Frankfurt am Main ruled 12 clauses in that company’s Terms of Service invalid.

Google’s latest privacy policy has been a point of dispute across Europe. The company faces financial sanctions in France because it failed to comply with French data protection laws. Privacy authority CNIL has issues with several Google policies, in particular how Google informs users about data that it processes and how it obtains consent from users before storing tracking cookies.

Similar action has been taken in Spain. In Germany, the Hamburg Commissioner for Data Protection and Freedom of Information began a formal action against Google in July over changes that were made to its privacy policy last year.