GDPR fine in Germany ruled 'unreasonably high'

Out-Law News | 16 Nov 2020 | 5:24 pm | 1 min. read

The €9.55m fine imposed on telecommunications provider 1&1 Telecom by the federal commissioner for data protection and freedom of information (BfDI) in Germany was "unreasonably high", a court in the country has ruled.

The BfDI imposed the penalty late last year after determining that 1&1 Telecom was responsible for a breach of the General Data Protection Regulation (GDPR). However, the company appealed that decision and the level of penalty imposed on it before a specialist fines court in Bonn which has now ruled that the company need only pay a €900,000 fine in relation to its breach.

Data protection law expert Ruth Maria Bousonville of Pinsent Masons, the law firm behind Out-Law, said: "This ruling is a milestone in how the GDPR is applied in Germany. It frames the dissuasiveness of fines with the various other circumstances which the GDPR also requires to be taken into account, namely the gravity of the infringement. The German data protection authorities are currently working on a revised scheme for fines. It will be interesting to see how they factor in the arguments which were decisive in this ruling."

The BfDI had determined that 1&1 Telecom had insufficient security measures in place to prevent unauthorised access to customer data. It said it was possible for callers to phone 1&1 Telecom's customer services and access extensive information about customers just by providing a customer's name and date of birth.

Though 1&1 Telecom took steps to bolster the authentication process by requiring callers to provide more information before they could access customer data, and committed to introducing a new and improved authentication procedure in consultation with the BfDI, the regulator said the breach merited a fine because, among other things, the security failings "represented a risk for the entire customer base".

The Bonn court agreed that there had been a breach of data protection law by 1&1 Telecom, identifying an insufficiently secure authentication procedure as the reason for this. However, the court found that unauthorised callers would not have been able to access sensitive customer's bank account information by exploiting the weak procedure, and nor would it have led to the company disclosing customer data "on a massive scale".

The court characterised the fault as "minor" but said the weakness in the authentication procedure was one the company should have been aware of and which merited a fine.

It held, though, that the original €9.55m fine imposed by BfDI was "unreasonably high" and revised the penalty down to €900,000.