On Tuesday, 9 December 2019, the German Federal Data Protection Commissioner announced in a press release that he had imposed a fine of EUR 9.55 million on the telecommunications service provider 1&1 Telecom GmbH. According to the press release, the fine had been imposed because 1&1 Telecom "did not take sufficient technical and organizational measures to prevent unauthorized persons from obtaining customer data from the customer support hotline".
What was the alleged GDPR infringement?
The alleged infringement, according to the Federal Data Protection Commissioner was that 1 & 1 Telecom’s customer support hotline gave callers personal information about them after they had authenticated themselves using only their name and date of birth. The Commissioner claimed that this authentication method infringed Article 32 GDPR, which requires the implementation of "appropriate" data security measures.
How was the amount of the fine determined?
The amount of the fine was calculated based on the “GDPR Fining Model” which the German Data Protection Authorities announced in October 2019 (here is a general summary of the concept). According to the Fining Model, a "daily rate" is to be derived from the worldwide annual turnover of the respective group of companies. This daily rate then forms the basis for the calculation of the fine. The consequence of using the worldwide annual turnover as the calculation basis is that even very small infringements can lead to potentially very high fines if the concerned company belongs to a larger group. This was the case for 1&1.
Nonetheless, the Federal Data Protection Commissioner has claimed that the fine imposed by him was "in the lower range of the possible fine framework". In that regard, it should be noted that other data protection authorities have already imposed lower fines, for more serious infringements in Germany (also in proportion to the size of the company). This makes the statement of the Federal Commissioner quite questionable.
Will 1&1 now seek legal protection?
1&1 has announced it will challenge the fine at a court. When doing so, 1&1 has already made clear that its defence will essentially rely on two arguments. Firstly, authentication by name and date of birth was customary in the market at the relevant time in question – and 1&1 has improved its authentication procedure now. Secondly, 1&1 claims that the amount of the fine was also disproportionate. The fine concept can lead to huge fines even in case of very small infringements if the respective “perpetrator” happens to be part of a large group of companies. This method of calculating fines is not in line with the constitutional principles of proportionality and equal treatment.
What should companies consider now?
This is likely the first fine ever to be imposed by the Federal Data Protection Commissioner since the DSGVO became effective. This shows that companies under the supervision of the Federal Data Protection Commissioner must now prepare themselves for being fined in case of GDPR breaches.
The Federal Data Protection Commissioner supervises all companies in the telecommunications and postal sectors. According to a decision of the German data protection authorities, this also includes messenger apps.
In his press release, the Federal Data Protection Commissioner points out that he is also investigating whether other telecommunications companies committed similar infringements. If other telecommunications companies still authenticate customers only by asking for the name and date of birth, they should now quickly change this procedure.
Some legal comments
As already indicated by 1&1, the decision of the Federal Data Protection Commissioner is highly questionable.
On the one hand, because it is highly questionable whether there was a GDPR infringement that could be fined in the first place. The imposition of fines is subject to the “nullum crimen” principle under German law. Or, in other words: "nulla poena sine lege certa" – no one can be punished for an offence that could not be clearly recognized as such in the law at the time when the offence was committed. This is also underlined by the “Rindfleischettiketierungsgesetz”-decision of the Federal Constitutional Court. In light of the fact that Article 32 GDPR depends on many vague criteria, such as e.g. "state of the art", "appropriate measures, etc., this was questionable here.
As 1&1 has already correctly pointed out, authentication by date of birth was the market standard at the time in question. If all companies are using this authentication method without the data protection authorities intervening, why is the violation now so serious in case of 1&1 that it directly justifies a heavy fine? Besides, the State Data Protection Authority of Baden-Württemberg, for example, had stated that it considered authentications based on date of birth as "common practice", and recommended authentication by “secrets” (e.g. customer PIN) only before sensitive personal data was disclosed. There are, therefore, many reasons to argue that the fine imposed by the Federal Data Protection Commissioner was unlawful.
On the other hand, also the amount of the fine is very questionable. The "fining model" of the German data protection authorities is based on the worldwide annual turnover of the group of companies. This means that the higher the size of the group to which the infringing company belongs, the higher the fines. The model does not take into account whether the actual infringement was relevant to the entire group of companies, or (as here) pertained only to one specific group company.
By calculating the fines always based on the worldwide group turnover, instead of considering the extent of the actual case, the data protection authorities violate the principle of proportionality enshrined in the GDPR and the German Constitution.
However, companies that could be affected by potential sanctions imposed by the Federal Data Protection Commissioner should not rely on being able to successfully challenge a fine in court. Depending on the individual case, courts may even increase the fines (so-called risk of reformatio in pejus). Therefore the question of whether a fine should be challenged should be considered carefully.
And in general, the best defence strategy against fines is, as always, to limit the risk and scope of possible GDPR infringements as good as possible.