Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) has slapped a $10.65 million fine on 1&1 Telecommunications, a major mobile services company. The fine is the largest to date for a violation of the General Data Protection Regulation (GDPR), the EU regulation stipulating online users’ data protection rights.
Failure to Protect
The specific reason for the fine was what the German government described as a complete failure on 1&1’s part to enforce Article 32 of the data protection regulation, requiring businesses to implement technical and institutional protections for personal data. The BfDI had discovered that people who called in to 1&1’s call centers were being granted access to personal information simply by giving a name and birthday. This constitutes a gross security lapse, as information of that sort can easily be gotten off the internet.
Germany Lays Down the Data Protection Law
The move by German regulators is a sign that Germany, the strongest economy within the EU, is moving vigorously to enforce the GDPR. This is, in turn, a powerful reaffirmation of Germany’s obligations as a key EU member and a sign that the organization’s decisions and policies will not be neglected by member states.
German Federal Commissioner Ulrich Kelber gave a succinct explanation of why the German regulatory response was warranted. “Data protection is fundamental rights protection. The fines imposed are a clear sign that we will enforce this protection of fundamental rights. [The GDPR] gives us the opportunity to strongly sanction the inadequate security of personal data. We apply these powers in the light of due consideration.”
The company rebuked the German government’s decision as too harsh and “utterly disproportionate,” and announced its intention to sue the regulatory authority. 1&1 challenged the government’s calculation of the fine, which was based on overall company sales. As its data security officer Julia Zirfas argued, on the basis of the German government’s criteria, “even the smallest discrepancy can result in huge fines.”
Although the GDPR allows the government to fine up to 4% of an offending company’s global revenue, the authorities are supposed to take into account factors such as the level of cooperation shown by the company, its previous track record, and whether the offense was deliberate. By the German government’s own admission, 1&1 had been “transparent and very co-operative,” while also rolling out tighter security measures, such as requiring callers to provide a PIN when contacting the 1&1.
The Wider Picture
The GDPR is an EU regulation that applies to any organization doing business with the EU both within its borders and internationally. It strictly regulates the way user privacy is guaranteed by companies that process data, and ensures a measure of user control over personal data. However, the German government’s case against 1&1 pans out, this move by the German government helps assure all interested parties that the GDPR is being rigorously enforced. This will create a new set of expectations for the larger information governance environment.
Our line of hardware encrypted SecureDrives are completely GDPR compliant and are FIPS 140-2 Level 3 Validated, meaning they have been government-tested for security. These devices can be used across any industry whether it be a call center with digital files or a corporation with mission critical information. Learn more about how these security products can prevent your business from enduring GDPR fines by calling 1-800-875-3230.