German internet service provider 1&1 Telecom is facing a €9.6m ($10.6m; £8m) fine after being accused of failing to carry out tough enough customer ID checks.
Germany’s data protection watchdog said anyone who called could get extensive personal information about someone else solely by giving their name and date of birth. Fraudsters can easily collect such details from social networks and elsewhere on the net.
But the firm is challenging the ruling. It said it did not accept the decision and intended to sue the authority. The sum represents one of the largest penalties imposed under the EU’s GDPR (General Data Protection Regulation).
1&1 Telecom said the fine was “absolutely disproportionate” because the regulator had based its calculations on the wider company’s sales. On that basis “even the smallest discrepancy can result in huge fines”, its data security officer Julia Zirfas complained.
The company also noted that it was in the process of rolling out new security protocols that will involve customers having to provide a Pin code when they call in.
In the most serious cases, organisations can be fined up to €20m or 4% of their worldwide annual revenue – whichever is larger. But regulators are supposed to take into account whether the offending body co-operated with their inquiry, any past offences and whether the infringement was deliberate or a mistake, among other factors, when deciding the amount.
In this case, the BfDI (Federal Commissioner for Data Protection and Freedom of Information) acknowledged that 1&1 Telecom had been “transparent and very co-operative” and had also taken steps to improve its practices. But the watchdog said the sum was still justified on the basis that its entire customer base had been put at risk.
In October, the same regulator punished a German property company with a bigger €14.5m fine for holding on to people’s personal data for longer than was necessary. And other European counterparts have told Google, British Airways and Marriott Hotels to pay even larger sums for other GDPR-related offences.
One data privacy expert said the latest ruling was still significant. Tim Turner, director of 2040 Training told the BBC:
It’s only the second time there’s been a multi-million euro penalty for a straightforward security issue, following a Bulgarian case, …Call centres have to balance easy access for customers with sensible verification measures, and this will be a wake-up call for all organisations trying to work out how much security to face callers with.
Source: BBC News
Check out our Premium Privacy Insights for informative articles on wide-ranging global data privacy issues – PLUS download our free CCPA compliance ebook entitled “The CCPA Effect”.