$10 Million GDPR Fine Imposed on German Telco 1&1
The German data protection regulator, the Federal Commissioner for Data Protection and Freedom of Information (BfDI), has imposed a €9.55 million ($10.64) GDPR fine on German telecoms provider 1&1 Telecom GmbH. This is described as being “in the lower range of possible fines” primarily because of 1&1’s cooperative response to the regulator’s investigation.
The fine was imposed under Article 32 of GDPR. Paragraph 2 states, “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.”
BfDI said in a statement, “In connection with their telephone customer service, the company had not taken sufficient technical and organizational measures to prevent unauthorized persons from being able to obtain customer information.”
The investigation commenced following a complaint from a customer whose personal mobile phone number was given by 1&1’s customer helpline to a former life partner in 2018. Since the former partner already knew a lot of details, the helpline provided the phone number after being given the complainant’s name and date of birth. According to BfDI, this was insufficient ‘access control’ for access to personal data.
1&1 cooperated with the investigation. “Following consultation with the BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new authentication procedure which is significantly improved in terms of technology and data protection.” Nevertheless, the regulator felt compelled to issue a fine because the infringement could have potentially affected 1&1’s entire customer base.
Despite saying the fine was in the lower range of possibilities, it remains a major GDPR fine against a European company. Germany had earlier imposed a fine of €14.5 million ($16.15 million) on a German real estate company for storing personal data without a legal basis, and for not implementing privacy by design. The highest fine so far was by the UK regulator against British Airways ($230 million in 2018). However, the 1&1 fine is significant for both its size, and because it does not directly relate to the organization’s computer systems, but to verbal and curated access to personal data stored on those systems.
In a subsequent statement, 1&1 Telecom has said that it will fight the BfDI decision. It said that it was already using 2-factor authentication by requesting the additional personal information (which in this case was known to the former life partner). 1&1 notes, “At this point… there was no uniform market standard for higher security requirements.” Its claim is that the fine is therefore disproportionate and violates Basic Law.
Nevertheless, it adds, “Since then 1 & 1 has continuously developed the security requirements. For example, a three-level authentication has been introduced in the meantime and in the next few days 1 & 1 – as one of the first companies in its industry – will provide each customer with a personal service PIN.”
If the fine is upheld by the courts, it will mean that many companies will need to rethink their existing customer helpline security arrangements. Even without additional security, customers are already unhappy with the difficulties in obtaining telephone support. Companies need to balance security with ease of use. But it is worth noting that BfDI is not thinking of this as a one-off problem: “On the basis of its own findings, indications and customer complaints,” it warns, “the BfDI is also currently investigating the authentication procedures of other telecommunications service providers.”
Related: The Case for Cyber Insurance
Related: The Global Reach of GDPR
Related: GDPR – Improving Data Privacy and Cyber Resilience?