The German Data Protection Regulator, the Federal Commissioner for Data Protection and Information Freedom (BfDI), has imposed a GDPR fine of € 9.55 million ($10.64) on the German telecommunications provider 1&1 Telecom GmbH. This is described as “in the lower range of possible fines,” primarily due to the cooperative response of 1&1 to the investigation of the regulator.
Pursuant to Section 32 of GDPR, the penalty is levied. Paragraph 2 says, “When determining the required level of security, the risk posed by transmission, when particular from unintentional or improper damage, deletion, modification, unauthorized disclosure or exposure to personal data sent, stored or otherwise handled, shall be taken into account.” Since the former partner already knew a lot of details, after giving the name and date of birth to the complainant, the helpline provided the phone number. This was inadequate’ information protection’ to access personal data, according to BfDI.
1&1 The investigation co-operated. “Upon consulting with BfDI, 1&1 Telecom GmbH is currently in the process of introducing a new, significantly improved encryption protocol in terms of software and data protection.” However, the regulator felt compelled to issue a fine because the breach may theoretically have harmed the whole customer base of 1&1.
Although the penalty was in the lower range of possibilities, against a Foreign business it remains a major GDPR fine. Germany has recently levied a penalty of € 14.5 million ($16.15 million) on a German real estate company for the non-legal processing of personal data and the non-implementationof software protection. The UK watchdog against British Airways ($230 million in 2018) has been the biggest penalty so far. The 1&1 fine, however, is significant both for its scope and because it does not relate directly to the computer systems of the company, but to informal and controlled access to personal data contained on those systems.
1&1 Telecom said in a corresponding announcement that it would contest the judgment of the BfDI. It said that when seeking additional personal data (known to the former life partner in this case) it was already utilizing 2-factor authentication. 1&1 states, “There was no universal industry norm for higher security standards at this stage.” His argument was therefore that the penalty was excessive and in breach of Basic Law.
Nonetheless, it continues, “Since then 1 & 1 has continually improved the security requirements. In the meantime, for instance, a three-level encryption has been adopted and in the next few days 1 & 1— as one of the first firms in its sector— will provide a personal service PIN for each client.” If the penalty is enforced by the judiciary, it will mean that many businesses will have to rethy. Customers are already dissatisfied with the complexities of receiving telephone support even without additional security. Organizations must match security with ease of use. Nonetheless, it should be noted that BfDI does not find this a one-off issue. “On the basis of its own findings, indications and customer complaints,” it warns, “the BfDI is also currently investigating the authentication procedures of other telecommunications service providers.”