A German federal privacy watchdog announced it has fined telecommunications service provider 1 & 1 Telecom €9.55 million (U.S. $10.6 million) for violations of the EU’s General Data Protection Regulation. The company says it won’t accept the penalty and will file a lawsuit.

The fine against 1 & 1 Telecom is one of the largest to date under the GDPR, put into effect in May 2018. In July 2019, British Airways was hit with the largest penalty thus far, a £183.39 million (U.S. $230 million) fine stemming from the compromised data of nearly 500,000 customers. That same month, Marriott International’s faced a £99.2 million (roughly U.S. $124 million) fine for a data breach that exposed the data of 339 million guest records globally.

The 1 & 1 Telecom fine is the second largest brought by a German data regulator, behind a €14.5 million (U.S. $16.1 million) penalty assessed upon property company Deutsche Wohnen SE in October by the Data Protection Authority of Berlin regarding privacy violations in the archiving of tenant data.

In the 1 & 1 Telecom case, according to the Federal Commissioner for Data Protection and Freedom of Information (BfDI), 1 & 1 Telecom had not taken “sufficient technical and organizational measures” to prevent unauthorized persons from obtaining information on customer data. The BfDI said it became aware callers to 1 & 1 Telecom’s call center could obtain extensive information on personal customer data simply by getting the customer’s name and date of birth. Such an authentication procedure violates Article 32 of the GDPR, which requires taking appropriate technical and organizational measures to systematically protect the processing of personal data.

1 & 1 Telecom has cooperated in the investigation. For example, the company introduced a new authentication procedure, which the BfDI said has been significantly improved in terms of technology and data protection, in consultation with the regulator.

Despite these measures, the BfDI said the imposition of a fine was necessary. In assessing the amount of the fine, the BfDI credited 1 & 1 Telecom’s cooperative behavior throughout the proceedings.

More to come?

In a separate case, the BfDI said it has fined Internet service provider Rapidata €10,000 (U.S. $11,100) for failing to designate a data protection officer in violation of Article 37 of the GDPR. Regulators said the amount of the fine reflected Rapidata’s failure to comply with repeated requests but also took into consideration that it’s a small business.

“Data protection is a fundamental right,” said Federal Commissioner Ulrich Kelber in a translated release. “The fines are a clear sign that we will enforce this protection of fundamental rights.”

On an industry-wide level, more fines may be forthcoming. Based on its own findings, information, and customer complaints, the BfDI said it is also investigating the authentication processes of other providers of telecommunications services.

1&1 Telecom’s response

In a translated response statement, the company said it “will not accept the fines” and plans to file a lawsuit. “This procedure was not about the general protection of data stored in 1 & 1, but about how customers can access their contract information,” the company said.

The case in question occurred in 2018 and concerned a telephone query of the mobile number of a former partner. “The responsible employee fulfilled all the requirements of the then-valid 1 & 1 security guidelines,” the company stated. “At that time, two-factor authentication was common, and there was no single market standard for higher security requirements.”

Since then, 1 & 1 has continued to enhance its security requirements. For example, a three-level authentication has been introduced, and 1 & 1 says it will soon provide each customer with a personal service PIN. “The security of millions of customers’ data is our top priority,” said Julia Zirfas, an attorney and the company’s data protection officer. “Therefore, 1 & 1 adheres strictly to the applicable data protection regulations.”

“The fine is absolutely disproportionate,” Zirfas added.