One of Germany’s biggest DSL and mobile service companies has been fined over EUR9.5 million for GDPR non-compliance.
1 & 1, which is a subsidiary of 1 & 1 Drillisch AG (which has about 14 million customers) and is part of the United Internet Group (which includes 1&1 IONOS), was fined because the BfDI (Germany’s Federal Commissioner for Data Protection and Freedom of Information) discovered that customers calling its call centre could obtain information by providing just their name and date of birth (information that could be easily discovered and stolen). BfDI said this meant that personal information was not properly safeguarded, as per Article 32 of GDPR.
Fining the company EUR9.55 million ($10.6 million) the BfDI said it was for a poor authentication process that failed to use “sufficient technical and organisational measures” to protect customer data. The company said it will appeal the fine. Data protection officer Julia Zirfas contended that the firm considered the fine to be “disproportionate”.
BfDI acknowledged that 1 & 1 had been cooperative and had since remedied the problem by adding an extra authentication step. But despite the size of the fine, the regulator said this was relatively low in recognition of 1 & 1’s cooperation – suggesting much higher fines were in the pipeline for those found non-compliant in future.
In a sign that the BfDI was toughening its stance on non-compliance, it also fined ISP Rapidata EUR10,000 ($11,100) for having no data protection officer in place, which is another requirement of GDPR.
Fining a company is one thing, but getting them to pay up is quite another as the UK’s Information Commissioner has discovered. The ICO recently revealed that it is still owed 30% of the fines it’s handed out for data breaches, spam and nuisance calling since 2015 (totalling 42% of the value).
While charities and public sector organisations have all paid up, enterprises haven’t.
- The public sector has the highest number of fines for data breaches (60/110).
- 84% of the £3.2 million in fines from the claims management industry haven’t been paid.
- 85% of fines for data breaches have been paid, but only 23% for nuisance calls.
However, in a sign that it too is getting serious about non-compliance, the ICO has recently announced fines of £183 million for British Airways and £99 million for Marriott International, with GDPR giving it the power to levy much higher fines than under the old regime.
It has now been almost 18 months since GDPR came into force. This move by Germany’s regulator indicates that countries now consider enterprises have had long enough to ensure they’re compliant. This latest news shines a light on how telecoms firms are performing, and with two being fined in a single week in Germany, it reminds other service providers to review their compliance to avoid embarrassing cases such as this.
While there is no suggestion that data has been breached, 1 & 1 is being fined due to the potential for a breach – essentially for having sloppy processes. Even though it acted quickly to fix the problem, the fine was still substantial. Worryingly, BfDI indicated it would have been even higher had the firm not cooperated and rapidly complied.
Telecoms firms are advised to carefully look at their processes to ensure they are compliant or risk further embarrassing and damaging headlines. Many will still not be compliant. According to a study conducted by the European Business Awards and RSM in mid 2019, for example, only 57% of respondents felt confident their firm was currently compliant with GDPR. While a study by Delphix found that in some firms the security officer was actually lying to other board members by assuring them they were compliant when he or she knew the firm was non-compliant.
These are worrying times indeed. We expect more mega fines in 2020 as regulators and information commissioners seek to ensure companies are acting on their duties under GDPR. It is well worth service providers taking the time and trouble to double check compliance by auditing their processes once again.