A German court has slashed a General Data Protection Regulation (GDPR) fine assessed to one of the country’s largest telecommunications service providers by over 90%, calling it “unreasonably high.”
1&1 Telecom GmbH was originally assessed a fine of €9.55 million last December for a data breach involving lax company policies about releasing personal information. The German appeals court has reduced the fine to a relatively affordable €900,000, citing the lack of sensitive data available as a primary reason.
German court undercuts one of the largest EU fines
1&1 Telecom GmbH was fined by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for an issue with the company’s customer service department. Callers to the customer service line were being provided with personal information from user accounts by doing nothing more than providing that user’s name and date of birth. The issue came to light when a customer filed a complaint against a stalker, a former partner who had made use of this security flaw to obtain the customer’s new phone number.
Though BfDI claimed the breach “posed a risk for the entire customer base,” a district court in Bonn decided upon review that the GDPR fine was too high due to the limited amount of information that an unauthorized party could potentially obtain. While an attacker could be given a current phone number, as happened in the complaint against the stalker, the district court felt that the lack of access to “individual connection certificates, traffic data or account connections” made it a “minor breach.” Central to the review decision was the fact that “mass handing over of data to non-authorized persons” was not possible via this method.
1&1 Telecom GmbH welcomed the GDPR fine reduction in a public statement, but also said that it thought the new amount might also be too high and that it would be undergoing a detailed review of the decision.
Lessons and precedents for future GDPR fines
The German court’s decision to drastically reduce the GDPR fine is noteworthy from a legal and compliance standpoint as it establishes some interesting precedents.
One pertains to the Conference of German Data Protection Authorities five-step procedure for determining the size of GDPR fines, one of the few formal processes that has been established among EU countries at a national level. The process takes into account company size, annual turnover, the severity of the data breach, and mitigating factors among its formalized elements for calculating how a fine should be assessed. The turnover by the court of Bonn indicates that this process is far from immutable in terms of GDPR fine amounts, and in its decision also specifically pointed out that annual turnover should not be used as a consideration (per the GDPR’s own terms). In a broader sense, the German court’s decision signals to organizations that it is worth the effort to challenge decisions based on national standards of this nature since they may have legally questionable elements in place.
This also builds to more predictable expectations about how GDPR fines in general will be assessed going forward. The precedent of not taking company turnover into account, which appears to be supported by the language of Article 83(2), could well extend beyond German borders and put the focus primarily on the potential level of access to personal data rather than what amount will cause an appropriate amount of pain in terms of the individual organization’s bottom line. In other words, a relatively trivial violation cannot balloon into a huge fine simply because the company in question is large; on the other side of that coin, a small company could be in for a massive fine should it experience a breach that is bad enough.
It additionally helps to clarify exactly what data breach conditions would be considered “minor” for the purposes of calculating a GDPR fine. Though there was potential for anyone to abuse the customer service loophole in this particular case, there was only one recorded incidence of anyone doing so. The actual amount of abuse committed was noted by the German court as a factor in the fine reductions, as was the spectrum of information that was available (in this case very general contact information that is often voluntarily made public anyway). The fact that this was not an intentional violation and that the reasoning behind the policy was to make account access easy for customers was also taken into consideration. Other mitigating factors noted by the German court in its decision were the telecom company’s cooperation during the investigation, the fact that it was the company’s first GDPR fine, and the fact that it suffered damage to its reputation due to media reporting of the incident.
The German court’s decision comes on the heels of several other notable GDPR fine reductions throughout the EU. About a month ago, UK regulators reduced historically large fines imposed against both British Airways and Marriott by substantial amounts. British Airways saw its initial £183.4 million fine drop to £20 million, while Marriott saw a reduction from £99.2 million to £18.4 million. The coronavirus pandemic and its effect on the travel industry was cited as a mitigating factor in these cases as both businesses have taken substantial hits to revenue. Both also worked directly with the UK data protection authorities to appeal the fines, rather than having the reduction determined by the country’s courts.