Germany’s privacy regulator, BfDI, has imposed a 9,550,000 Euro fine on telecom company 1&1 Telecom. As one of the world’s largest telecom providers, 1&1 – in 2018 – had not sufficiently protected customer data from access by unauthorized persons during support services by telephone.
The GDPR investigation by BfDI (Federal Commissioner for Data Protection and Freedom of Information) was initiated following a complaint by a customer whose mobile telephone number was provided to his former partner in 2018. The person calling provided only name and birthdate to 1&1’s support employee to provide proof for being a customer. According to 1&1, the support employee acted in accordance with the company’s guidelines at the time, which required a two-factor authentication. The BfDI stated that the procedure created privacy risks for customers.
After the BfDI complained about the inadequate data protection, 1&1 Telecom GmbH was insightful and cooperative, stated BfDI. Although 1&1 cooperated, BfDI has imposed this fine of 9,550,000 euros. The privacy regulator stated that the infringement was not restricted to a small number of 1&1 customers. It represented a risk for the entire customer base. The amount of the fine, according to BfDI, was still at the lower end of the possible fine limit because 1&1 had cooperated.
1&1 Telecom Gmbh has meanwhile announced that it will appeal against the fine imposed by the data protection authority. At the time, two-factor authentication was quite common, according to 1&1, and there was no uniform market standard for higher security requirements.
Since then, 1&1 has further developed its security measures with for example three-factor authentication. The telecom provider would also provide each customer now with a personal service PIN code.
‘Disproportionate’
Dr. Julia Zirfas, Data Protection Officer at 1&1, emphasizes the company’s high security standards: “The security of the data of many millions of customers is our top priority. Therefore, 1&1 strictly adheres to the applicable data protection regulations.”
“The fine is absolutely disproportionate,” added Dr. Julia Zirfas. “The new fine regulation, according to which the amount was calculated and which applies to the entire German economy, was published on October 14, 2019 and is based on the annual Group revenue. Even the smallest deviations can result in huge fines. However, the Basic Data Protection Regulation (DSGVO) does not provide for turnover as a criterion for determining the amount of the fine. Furthermore, the new penalty logic violates the Basic Law, in particular the principles of equal treatment and proportionality”.
