German Court Slashes a GDPR Privacy Fine by 90%Case Highlights How Organizations Sanctioned for Violations Can Appeal
A German appeals court has slashed by 90% a General Data Protection Regulation fine levied by the nation's federal privacy watchdog against 1&1 Telecom over call center data protection shortcomings.
In December 2019, Germany's Federal Commissioner for Data Protection and Freedom of Information, or BfDI, announced a fine of 9.6 million euros ($11.3 million) - at the time, the second-largest privacy fine ever announced in Germany - against 1&1 Telecom.
The BfDI alleged that the company had failed to put in place "sufficient technical and organizational measures" to protect customer data in its call center environments. 1&1 Telecom vowed to appeal (see: GDPR Violation: German Privacy Regulator Fines 1&1 Telecom).
The BfDI says it fined 1&1 Telecom after discovering that those contacting its call center could retrieve customer information simply by giving their name and date of birth, which it said was an insufficient level of authentication for protecting customer data.
A district court in Bonn on Wednesday ruled that because "the fault of the telecommunications service provider is minor," the penalty should be reduced to 900,000 euros ($1 million).
"The court said in its judgment that there was no knowledge of further problems in the authentication practices in the company," says attorney Jonathan Armstrong, a partner at London-based Cordery, who was not involved in the case. "We've always thought the appeal mechanisms in GDPR would be used successfully, and this case proves that. It still shows however that authentication - checking someone is who they say they are - is an important part of a company's GDPR responsibilities."
1&1 Telecom says it is studying the judgment and may take further legal action.
"We welcome the decision of the regional court to significantly reduce the fine imposed by the federal data protection officer," says Julia Zirfas, 1&1's data protection officer. "This is a clear signal that the original fine of 9.55 million euros was in no way related to the present, individual case. Nevertheless, the amended fine is also a significant amount. We therefore reserve the right to take further legal steps after a detailed examination of the ruling."
Based in the small, western German city of Montabaur, 1&1 Telecommunication SE is one of Germany's biggest DSL and mobile service providers. It's a subsidiary of 1 & 1 Drillisch AG, which is one of the country's largest network-independent telecommunications providers, with about 14 million customers. The company is part of the United Internet Group, which includes all other 1 & 1 companies, including the popular global hosting firm 1&1 IONOS.
Responding to the appeals court decision, Germany's Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber, said the ruling validated the BfDI finding that 1&1 Telecom had violated GPDR's data protection requirements by having insufficient security measures in place in its call center. "This shows: Data protection violations are not without consequences," he says.
The case against 1&1 is the first major court case that the BfDI has handled since GDPR came into full effect in May 2018.
"I am convinced that this decision will be noticed in the executive floors of companies," Kelber says. "I am still waiting for the written reasons for the judgment, but it is clear right now: No company can afford to neglect data protection anymore."
Fines Must Stand Up in Court
Cordery's Armstrong says the case is a reminder that GDPR penalty norms are emerging, and that when regulators attempt to impose relatively hefty fines, they might have to later justify them in court.
"The case reminds us that data protection authorities are likely to face challenges to high fines in the courts," he says. "In some respects, the fine mechanism in GDPR is based on the system in use in competition law cases, where the success rate in appeals has been high."
One lesson from 1&1's successful appeal, he says, is to ensure that when an organization suffers a breach, it rapidly investigates, assesses, remediates and mitigates the incident, thoroughly documenting everything. These steps can give a company ammunition for appealing a large fine in court. "1&1's fine reduction to less than 10% of the original fine underlines that strategy," Armstrong says.
UK: Marriott, British Airways Fines Lowered
News that the German appeals court slashed the fine against 1&1 Telecom by 90% follows Britain's data protection authority, the Information Commissioner's Office, last month announcing much lower final fines against two organizations that what it had initially proposed.
In July 2019, the ICO issued notices of intent to fine British Airways 184 million pounds ($242 million), and Marriott 99.2 million pounds ($131 million). While steep and record-setting, these proposed fines were nowhere near the maximum possible under GDPR. With $20.8 billion in 2018 revenue, for example, Marriott faced a maximum possible fine of nearly $840 million.
In recent weeks, however, the final fines announced by the ICO - while still record-setting for the U.K. - were much lower: down to 20 million pounds for British Airways and 18.4 million pounds Marriott, respective reductions of 90% and 80% from what had originally been proposed. The ICO says it took into account the current economic climate - the state of the aviation industry in particular - when setting the revised fines.
Armstrong says one notable aspect of the Marriott case is that the hotel giant has agreed to not contest the final fine. That saved the ICO from the expense of battling an appeal - as the BfDI had to do - at the risk of potentially losing the case (see: Marriott and BA's Reduced Privacy Fines: GDPR Realpolitik).
Big Privacy Fines: Appeals Likely
But the massive difference in the U.K. between the proposed and final fines, and in Germany between what a regulator demanded and an appeals court later calculated, shows that GDPR sanction amounts remain an open question.
"The risk calculus now on fines will be to appeal, seeking a 90% reduction," says Daragh O Brien, managing director of Castlebridge, an information management consultancy based in Ireland.
Haymaker punches can be effective if they land successfully. But often a better strategy is smaller more focussed strikes that build over time. But that can take discipline and a focus on process. It also requires you to keep hitting. pic.twitter.com/AeiheVQFII— Daragh O Brien (@CBridge_Chief) November 13, 2020
O Brien suggests that regulators should work to impose GDPR penalties that are appropriate for the situation. "The temptation for regulators to throw headline-friendly haymaker punches is strong. But if that results in courts reining them in, it weakens regulation overall," he says. "Often a better strategy is smaller, more focused strikes that build over time. But that can take discipline and a focus on process. It also requires you to keep hitting."