Fine Practices of the Data Protection Supervisory Authorities Under Scrutiny
The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) sees the decision as a success: On November 11, 2020, the District Court of Bonn reduced the fine imposed on 1&1 Telekom GmbH for a data protection breach from an original EUR 9.55 million to EUR 990,000.00, thereby fundamentally calling into question the fine practices of the German supervisory authorities. Nevertheless, according to a press release on the same day, the BfDI feels its actions are validated as the District Court of Bonn has clarified "important and fundamental issues".
Indeed, the judgment of the District Court of Bonn is the first one on a fine imposed by a German supervisory authority in accordance with the provisions of the European General Data Protection Regulation (GDPR). With the introduction of the GDPR in May 2018, the range of fines for violations of data protection law was increased significantly. Depending on the type of violation, the data protection supervisory authorities can now impose a fine of up to EUR 20 million or (in the case of companies) up to 4 % of global annual sales.
In order to standardize the calculation of fines among the German data protection supervisory authorities, the Conference of the Independent Data Protection Supervisory Authorities of the German Federal and State Governments (DSK) published in October 2019 a concept for the calculation of fines in proceedings against companies for violations of the GDPR. The BfDI also used this concept as the basis for calculating its fine imposed against 1&1. And so the concept was also at least indirectly the subject of the judgement of the Bonn judges, the reasons of which, however, have not yet been disclosed.
The background to the case was that the former partner of a customer of 1&1 had requested the new telephone number of her ex-partner via the call center of the telecommunications provider, whereby she pretended to be his wife. The legitimation process used at 1&1 up until that point merely consisted of her providing the customer's name and date of birth. Using her ex-partner's new telephone number, which was obtained in this way, she was able to stalk him.
The BfDI, responsible for 1&1 as the supervisory authority, saw this as a grossly negligent violation of the GDPR and imposed a fine of EUR 9.55 million.
In response to 1&1's objection, the District Court of Bonn decided on November 11, 2020 that the fine against the company was justified in terms of the reason, but not the amount. It reduced this to EUR 990,000.00 (and thereby almost 90 %).
The subject of the decision of the District Court of Bonn was not only the amount of the fine imposed on 1&1. For the first time, a court also dealt with the question under which conditions a company is liable for violations of the GDPR by its employees:
The Court ruled that the GDPR provides for direct association liability. This makes recourse to German administrative offense law, in particular the provisions of Sections 30 and 130 of the German Act on Administrative Offenses (Ordnungswidrigkeitengesetz – OwiG) including the requirement of a breach of duty by a manager, superfluous.
According to the German Act on Administrative Offenses, companies are only liable for violations by their employees if management personnel have not adequately fulfilled their supervisory and control obligations (so-called legal entity principle).
Although the German Federal Data Protection Act (Bundesdatenschutzgesetz) refers to the provisions of Sections 30 and 130 OWiG, this requirement cannot be transferred to the GDPR, according to the - controversial - view of the Bonn judges. In order to be liable for violations of data protection law, it is therefore not necessary for a manager to make a mistake to which the fine notice can be linked. The Court ruled that under European law - as opposed to the German law on administrative offenses - even a mistake by any employee can result in the liability of the company and, therefore, a fine.
Following this principle, the District Court of Bonn determined that 1&1 was also liable for culpable violations by its call center employees.
Data protection violation
The Court held that a culpable breach of duty can be assumed in the present case: 1&1 did not protect customer data with sufficiently secure authentication procedures, so it was possible for unauthorized persons to access customer data. Although a legal error by 1&1 can be assumed with regard to the appropriateness of the protective measures, such an error was avoidable. This is the case if there is reason to independently check the possible illegality of the handling presented or to inquire in a reasonable manner, and to gain insight into the injustice in this way.
Determination of fines
The Court found, however, that the fine set by the BfDI was significantly too high. It should be taken into account that 1&1's fault must be viewed as minor, which was evidently not the case with the authority imposing the fine. The telecommunications provider lacked the necessary awareness of the problem with regard to the authentication practice that had been carried out for years and had remained without objection, especially since there are no clear guidelines for authentication processes at call centers. It should also be taken into account that it was a minor data protection breach that affected a single person and that did not and could not have led to mass disclosure of data to unauthorized persons. Against this background, the fine initially imposed by the BfDI was reduced by the Court to a good 1/10 of the original amount.
Although the above-mentioned judgment and the radical reduction in the fine show that the German data protection authorities should revise their current concept for the calculation of fines in proceedings against companies, there is no reason for the addressees of the data protection regulations to breathe a sigh of relief:
The judgment confirms that even minor violations of the General Data Protection Regulation can result in substantial fines. In view of the fact that the violation only affected a single person and the District Court of Bonn considered the fault of 1&1 to be minor, a fine of EUR 990,000 is not to be considered insignificant, even for a large company with high revenues. In addition, the judgment makes it clear that companies - according to the disputed opinion of the Court - are also liable for minor and isolated data protection violations by each individual employee. Neglect on the part of the company's management is not decisive. Against this background, the authorities do not have to prove any specific reproachable act or corresponding reproachable omission of a certain employee in order to impose a sanction.
Even if the further development, particularly in case law, remains to be seen, the judgment clearly shows:
The requirements for data protection and IT compliance, especially for companies, are likely to become more stringent - despite the lack of binding guidelines from the authorities.
This is also confirmed by the BfDI in response to the judgment presented: "No company can afford to neglect data protection anymore."
This once again brings the importance of training one’s own employees (not just at management level) into focus. This is particularly true in times when mobile working is becoming the “new normal” and new requirements are placed on the technical and organizational (compliance) measures to be applied, the non-observance of which harbors particular risks, not only from a data protection perspective (cf. our Data Protection Update no. 85 from November 2, 2020).
Nonetheless, companies should intensively examine a course of action against a possible fine, even if they are willing to accept the material reasons for the decision. This is because, at the moment at least, there are many indications that the fine calculation used by the supervisory authorities is disproportionate.