German ISP challenges GDPR fine issued over inadequate customer ID checks

$10.6m charge dished out despite cooperation

UPDATED An internet service provider (ISP) in Germany is contesting one of the largest-ever fines issued in the country under GDPR, the EU’s data protection legislation.

Germany’s data protection watchdog levied the €9.6 million ($10.6 million) penalty against 1&1 Telecom for allegedly failing to conduct robust customer ID checks.

In a press release published late last week (in German), the Federal Commissioner for Data Protection and Freedom of Information (BfDl) said that the ISP had “not taken sufficient technical and organizational measures” to protect customer privacy.

The lack of protections enabled a person to call 1&1 Telecom and obtain the personal information of any customer, the BfDl explained, adding that a name and date of birth would be enough to obtain further information on a subject.

The issue impacted the ISP’s telephone customer service and was a violation of the secure processing requirement under GDPR, the BfDL said.

Federal Commissioner Ulrich Kelber said: “Data protection is fundamental rights protection. The fines imposed are a clear sign that we will enforce this protection of fundamental rights.”

‘Absolutely disproportionate’

1&1 Telecom said in a post on its website (in German) that it would be appealing the decision and that no market authentication standard for security requirements existed.

It added how the issued fine was over a 2018 security incident where the employee responsible had followed all necessary procedures.

A spokesperson for 1&1 told The Daily Swig: “No sensitive customer data was released, only the customer's current mobile phone number. The customer's former life partner called customer service at 1&1 in 2018 and identified herself with the correct answer to two questions about the master data of her ex-life partner at 1&1.

“She thus fulfilled the requirements of the security query at the time. She was then given the current mobile phone number. The ex-partner then filed a criminal complaint against his former partner with the police and the case was forwarded to the Federal Data Protection Commissioner.”

The BfDL said that while 1&1 had cooperated with its investigation and introduced a new authentication procedure a fine was still mandated. The fine was proportionate, it said.

“Among other things, the infringement was not only limited to a small number of customers, but represented a risk for the entire customer base,” the BfDL added.

In force since May 2018, GDPR introduced fines of up to €20 million ($22.3 million) or 4% of an organizaton’s annual revenue for data protection violations.

New penalty guidelines

According to Jan Feuerhake, a Hamburg-based partner at law firm Taylor Wessing, the fine issued to 1&1 is following new guidelines issued recently by German regulators.

The guidelines, which are also being proposed in Austria (non-HTTPS link), state that GDPR fines should be based on a company’s worldwide revenue but take into account previous offences, the gravity of the offense, and whether the offender cooperated with the investigation.

Feuerhake told The Daily Swig that the guidelines would “turn up the enforcement of GDPR” and herald “a wave of multimillion-euro fines”.

The 1&1 spokesperson said that the new model contradicted the principle of equal treatment.

“In our view, the new fine regulation, which applies not only to the telecommunications industry but to the economy as a whole, violates various laws,” they said.

“The model is deeply unfair and can result in huge fines for even the smallest infringements.

“The basic data protection regulation lists the assessment criteria for the amount of fines. Turnover is not one of these statutory assessment criteria. The daily rate model prevents appropriate consideration of the criteria actually provided for.”

The BfDL also announced a fine of €10,000 ($11,115) against payment service provider Rapidata for failing to comply with Article 37 under GDPR – designating a data protection officer – despite repeated requests to do so.

In October, Berlin’s data protection regulator dished out another hefty GDPR fine – €14.5 million ($16 million) – to a Germany property firm for retaining personal data for longer than necessary.

The Daily Swig has reached out to BfDL for further comment.

This article has been updated with comments from 1&1.

YOU MIGHT ALSO LIKE GDPR: Have greater fines forced organizations to take data security seriously?