GDPR: 90% reduction of fines by German Court

//by Jonas Puchelt and Sandra Brechtel

The Regional Court Bonn reduced fines of EUR 9.55 million imposed by the German SA on the telecommunications company 1&1 to “only” EUR 900,000.00. Is the reduction of the fines by more than 90% to be interpreted as “reality test” for the thresholds of GDPR?

The facts

The background for the fine proceeding was a criminal complaint filed by a customer of the telecommunications company 1&1. The ex-partner of the customer had obtained the customers new telephone number from the companys hotline simply by providing the name and the date of birth of her ex-partner. The access control of the hotline was solely based on these two criteria. She used the new phone number for making harassing phone calls. However, no sensitive data, such as the content of calls, traffic data, or bank account details, could be obtained this way.

The data breach 

The Federal Data Protection Commissioner considered the disclosure of the telephone number as a data breach based on gross negligence. Specifically, the SA1 regarded the disclosure as a violation of the obligation to implement suitable technical and organisational measures to ensure an adequate level of data security (Art. 32 (1) GDPR).2 Merely requesting name and date of birth is not regarded as sufficient information for access control to customer data.

Objections of the telecommunication company

1&1 admitted the data breach in principle, but characterised it as an isolated instance rather than a systematic problem and sued against the fine. In particular, 1&1 argued that the fine assessed by the Federal Data Protection Commissioner was disproportionate. In the opinion of the company, imposing a fine on a company based on German Act on Regulatory Offences3 requires a violation of law by an executive of the company. In contrast, the violation of law in the respective case was committed by a service employee.

The matter was decided by the Regional Court after a five-day trial.

Violation by executive not required

According to the court that reviewed the fine, the case did, in fact, involve a data breach because 1&1 had failed to implement sufficiently secure access control procedure to protect customer data in connection with call center communication. As a result, it was possible for unauthorised callers, by providing name and date of birth of a customer to gain access to data of that customer, such as the current phone number.

However, the court did not attribute a violation of law to 1&1 based on the German Act on Regulatory Offences4 but rather referred to the European concept of undertakings. Although, § 41 (1) of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) of 2018 (5) refers to the German Act on Regulatory Offences6 for violations of the GDPR that are subject to a fine, the Regional Court held that the German Act on Regulatory Offences7 applies only “if this law [i.e., the GDPR] does not provide otherwise”.

Concept of undertaking within the meaning of Art. 101 and 102 TFEU 

Recital 150 (sentence 3) GDPR8 provides that undertaking in connection with fines shall be interpreted in accordance with Art. 101, 102 TFEU.9 In the view of the Regional Court, the European Court of Justice has developed a functional concept of an undertaking in consistent case law and this concept does not justify limiting liability to violations of law committed by executives. According to the court, undertakings shall similarly be liable for data breaches committed by their employees. However, the full decision has not beeing published.

Amount of fines disproportionate

The court reduced the amount of the fine by more than 90%. In addtion, the court rejected the calculation model of fines10 of the German data protection authorities.

The fine calulation model of the German authorities determines an economic base value in accordance with the earningsof a company. This base value is multiplied by a factor reflecting the severity of the data breach. Finally, the result may be adjusted on the specific circumstances of the case.

The court held since fines imposed in accordance with the GDPR should have a deterrent effect according to the intent of the legislature, these must also be proportionate in each particular case. In the view of the court, the calculation model cannot always guarantee proportionality. In particular, minor data breaches by undertakings with high earnings and serious data breaches by undertakings with low earning cannot be appropriately fined using a purely earning-based fine assessment model. The German data protection authorities announced already during the proceedings that they would revise the model briefly.

Mitigating circumstances

In favor of 1&1, the court took into account the willingness of the company to cooperate and to change the identification procedure as well as the fact that this was the companys first data breach. When assessing the fine the court also took into consideration the reputational damage the company had suffered as a result of the media attention of the case.

Despite the courts sharp criticism on how the fine was calculated, the Federal Commissioner for Data Protection considered the outcome of the proceeding a success and confirmation of his view of the matter. As the Federal Commissioner for Data Protection stated in his press release:11

“I am convinced that this decision will get attention on the executive floors of companies. I am still waiting for the courts written rationale for the decision, but one thing is already clear: No company can afford to neglect data privacy any longer.”

Assessment

The German data protection authorities are forced to ament their fine assessment model in accordance with the requirements of the Regional Court. It is open, to what extent other German courts will follow the view of the Regional Court of Bonn. According to media reports, the company Deutsche Wohnen12 for example, has appealed against a fine that was assessed in October 2019. That case involves a fine of EUR 14.5 million. The fashion company H&M is facing a record-setting fine of EUR 35.3 million13, but – according to news reports – has accepted the fine. In the aftermath of the decision of the Regional Court of Bonn, it is to be expected that many affected companies will sue against fines imposed by SAs in the future.

Authors: Jonas Puchelt, certified attorney for IT law, certified data protection officer (DSC) and Sandra Brechtel, research assistant, certified data protection officer (DSC), FPS Rechtsanwälte, Frankfurt a. M.