In December 2019, the German Federal Commissioner for Data Protection and Freedom of Information (“Federal DPA”) levied a € 9.55m fine against 1&1 Telecom (“1&1”), a German telecom company. On 11 November 2020, the Regional Court (Landgericht) of Bonn (the “Court”) slashed the fine to just € 900,000, on the basis that it was disproportionate. The Court considered that too much emphasis had been given to the turnover of 1&1 at a group level in calculating the fine, calling the calculation model used by the German authorities into question.
The facts
The Federal DPA levied a fine on the basis that 1&1 had disclosed the cell phone number of one of its customers to an unauthorised third party, by failing to implement an appropriate authentication procedure within its call centre. A woman called the 1&1 customer service hotline to find out the new cell phone number of her ex-boyfriend. She provided his first name, surname and date of birth, and with this information alone the call centre operator shared the new cell phone number of its customer with her. The Federal DPA considered this to be a violation of Art. 32 GDPR, as 1&1 had failed to implement sufficient technical and organisational measures for authenticating calls made to its call centres to ensure that the caller is also the respective contract holder. The Federal DPA calculated the fine taking into account the turnover of 1&1 at a group level. 1&1 subsequently challenged the Federal DPA’s decision in the Court, on the basis that the fine was excessive.
The decision
Although the Court ruled that the authentication measures implemented by 1&1 in relation to calls made to its call centres at the time of the complaint were not sufficient, it considered the fine to be disproportionate as the violation was minor in nature and insufficient factors were taken into account in calculating the fine. The Court took the view that the entire group turnover is not the only criterion that requires consideration when calculating fines pursuant to Article 83(2) GDPR.
The key takeaways
- Calculation model for fines is disproportionate: The model for fine calculation published by the German Data Protection Authorities provides that turnover is an essential factor in determining the appropriate level of the penalties. The Court took the view that relying on turnover as the key factor in calculating the fine was not appropriate, as:
- a minor GDPR violation by an entity with a high turnover (at group level or otherwise) would lead to a disproportionately high fine; and
- a serious GDPR violation by an entity with a low turnover would lead to a disproportionately low fine.
- Objective factors are essential: When calculating a fine, the supervisory authority needs to take into account objective factors of the violation and undertake a case-by-case analysis of the facts.
- Indicators of a minor violation of the GDPR: The Court classified the deficiencies in 1&1s customer authentication procedure to be a minor violation of the GDPR for the following reasons:
- This incident represented a single and extraordinary case of misuse of its customer call centre;
- The nature of the personal data affected: the call centre only processes customer data that is frequently disclosed, such as name, address, telephone number and general contract information. Under ordinary circumstances, this type of personal data would not represent a particular risk to the relevant data subjects (although of course in certain circumstances it could be problematic). Sensitive data such as details of individual calls, traffic data or bank accounts could not have been disclosed using the relevant authentication procedure.
- There was no indication of a mass leak of personal data: This violation did not lead to a mass leak of personal data to unauthorized persons.
- The violation was not committed intentionally.
- It was clear that 1&1 was acting for the benefit of its customers, as the authentication was implemented in order to provide easy access to the call centre.
The following additional mitigating factors were taken into account:
- 1&1 demonstrated good cooperation and improvement measures. It cooperated with the Federal DPA throughout its investigations and has responded by taking steps to increase the standard of authentication required by its call centres.
- This was the first fine imposed on 1&1.
- The reputational damage suffered by 1&1, which the Court considered should be taken into consideration.
In all other respects (setting aside the level of the fine) the Federal DPA considers the judgment of the Court as confirmation of its decision in relation to the GDPR violation, on the basis that the Regional Court followed its opinion in relation to the substantive points and has given a clear statement that violations of the GDPR will not be readily accepted and will have consequences.
Our take
The model developed by the German authorities to calculate fines, which currently heavily relies on turnover, has been criticised by the Court. The Court gave a clear statement that the model leads to disproportionate fines in many cases. We now expect the authorities to reconsider the model generally. In the meantime, we anticipate that an authority would be at least hesitant to fully rely on the model and would likely take the factors outlined by the Court (as stated above) into account when calculating a fine.
Companies that are subject to fines in the future now have a precedent judgment to rely upon to defend themselves. This is great news for larger and multinational companies, whose higher turnover would have led to substantial fines even in minor cases under the old model.
The press release issued by the Court can be read here (in German).
