1 & 1 Telecom is the latest beneficiary of a massive fine reduction under the EU’s General Data Protection Regulation (GDPR) after a German court reduced an original €9.55 million penalty against the telecommunications service provider to €900,000 (U.S. $1.06 million) upon appeal.
The Bonn Regional Court on Nov. 11 ruled in favor of 1 & 1 Telecom and ordered the 90 percent fine reduction. The original penalty, handed down by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) in December 2019 for insufficient technical and organizational measures to prevent unauthorized persons from obtaining information on customer data, had been one of the largest brought by a German regulator under the privacy legislation that took effect in May 2018.
The BfDI said it became aware callers to 1 & 1 Telecom’s call center could obtain extensive information on personal customer data simply by getting the customer’s name and date of birth. Such an authentication procedure violates Article 32 of the GDPR.
1 & 1 Telecom had immediately said it wouldn’t accept the fine and planned to file a lawsuit, arguing the penalty was “disproportionate.” The court agreed.
“We welcome the decision of the regional court to significantly reduce the fine imposed by the Federal Data Protection Officer,” said Dr. Julia Zirfas, data protection officer at 1 & 1 Telecom, in a translated statement. “This is a clear signal that the original fine of EUR 9.55 million was in no way related to the present individual case.
“Nevertheless, the changed fine is also a significant amount. We therefore reserve the right to take further legal steps after carefully examining the judgment.”
In its judgement, the Bonn Regional Court, according to 1 & 1 Telecom, noted no sensitive data was affected during what was seen as a “slight, unintentional breach of data protection in an individual case.” The case in question occurred in 2018 and concerned a telephone query of the mobile number of a former partner.
“The responsible employee fulfilled all the requirements of the then-valid 1 & 1 security guidelines,” 1 & 1 Telecom explained at the time of the original fine. “At that time, two-factor authentication was common, and there was no single market standard for higher security requirements.”
Also considered was 1 & 1 Telecom’s cooperation during the case, which the BfDI had even praised at the time of the initial fine, and its security improvements since the incident.
The court intervention is the first the BfDI has faced since the GDPR was put into force. In a statement, BfDI Commissioner Ulrich Kelber said he felt his views were still substantiated by the court despite the fine reduction.
“I am convinced that this decision will be noticed in the executive floors of companies,” Kelber said. “I am still waiting for the written reasons for the judgment, but it is clear right now: No company can afford to neglect data protection anymore.”
The sizable fine reduction comes less than a month since the United Kingdom’s privacy regulator reduced a pair of fines by roughly the same percentage following appeals by the respective companies. A £20 million (U.S. $26 million) penalty against British Airways on Oct. 16 paled in comparison to the £183.4 million figure the regulator originally touted last year for the airline’s failure to protect the personal and financial details of more than 400,000 customers, while a fine against Marriott on Oct. 30 was set at £18.4 million (U.S. $23.8 million) after initially being proposed at £99.2 million regarding a breach of approximately seven million U.K. guest records.
In both the BA and Marriott cases, the companies worked directly with the regulator during the appeal process, as opposed to getting courts involved.