GDPR fines: Purely a matter of discretion? GDPR fines: Purely a matter of discretion?

The proceedings had it all. First, the Federal Commissioner for Data Protection imposed a fine of 9,550,000 euros on a telecommunications service provider. The Bonn Regional Court, with which the company had lodged its appeal, then reduced the fine to 900,000 euros, just under a tenth of the original amount. Why did this happen, and what conclusion can companies draw from this with regard to data protection violations?

The background to the case can be summarised as follows. The telecommunications service provider operated a call centre which, after identifying and authenticating the customer, provided information or accepted change requests, among other things. In addition, it was possible for people introducing themselves as members of the customer's family or otherwise close persons to act on behalf of the customer if they gave the customer's name and date of birth for authentication. The ex-girlfriend of one of the company's customers took advantage of this to obtain the customer's new telephone number, which the customer had previously changed. She used the number to make harassing calls to her former partner.

The Federal Commissioner for Data Protection and Freedom of Information (BfDI) subsequently initiated administrative offence proceedings against the telecommunications company and imposed a fine of €9,550,000. According to the BfDI, an adequate level of protection under Article 32 of the GDPR was lacking because only the name and date of birth were considered sufficient for authentication. This breach of data protection was not limited to a small part of the customers - it posed a risk to the entire customer base. The BfDI had set the maximum possible fine at EUR 73,260,000 according to the fine concept of the Conference of Independent Data Protection Supervisors of the Federation and the Länder (DSK). Since the company had behaved cooperatively throughout the entire proceedings, the fine imposed was located in the lower range of the possible fine framework, reasoned the Federal Commissioner for Data.

The DSK's concept of fines provides for a five-step procedure for the actual calculation of fines. In simplified terms, a daily rate is determined depending on the turnover of the company, which is then multiplied by a factor depending on the severity of the violation. The result is adjusted by any circumstances not yet taken into account.

In the opinion of the Regional Court of Bonn, however, the assessment of the fine must be based primarily on the offence-related aspects of Article 83 (2) sentence 2 of the GDPR. The court found it problematic to assess the fine guided by a basic value determined according to the company's turnover and multiplied by a factor depending on the severity of the data protection violation, as this would result in too strong a focus on the company's turnover. The assessment method applied by the BfDI may lead to appropriate results for data protection violations of medium weight, the court continued, but it is not appropriate for serious data protection violations of companies with low turnover or for minor data protection violations of companies with high turnover. These are the cases in which an assessment based primarily on turnover conflicts with the assessment based on the criteria in Art. 83 para. 2 sentence 2 of the GDPR, because, in the latter, these fact-related assessment aspects take precedence. In justifying the much lower fine of 900,000 euros, the court concluded that the amount of turnover would still be important; however, a clearer assessment of the severity of the data protection violation (in either direction) would render the turnover less important in relation to the culpability.

Does this mean the all-clear for companies as far as the level of fines for data protection violations is concerned? I think not. Because even though the Bonn Regional Court drastically reduced the fine imposed by the BfDI, it nevertheless explained very precisely what it considered important in assessing the data protection violation - namely, the fact-related circumstances of the specific individual case.

In this case, the court took the following into account:

• Initially, no sensitive data had been affected, and the damage to a customer had demonstrably occurred only in this one circumstance. The court pointed out that it should be taken into account that cases of data theft via a call centre often do not become known. 
• The company had not deliberately, consciously or even conditionally intentionally violated data protection law. It had assumed that the authentication process complied with the law, and the court found that this misconception was avoidable. 
• There were no specifications for authentication in call centres, and the low level of security existed to allow customers to contact the call centre without major obstacles. 
• The company had cooperated with the BfDI, immediately increased the level of protection of the authentication process and ultimately introduced a service PIN in coordination with the BfDI.
• This was the first time the company had been fined for a data protection violation. 
• Even though - theoretically - millions of sets of customer data were affected, there had been no threat of mass theft of personal data. Attackers would only have been able to get hold of the data in individual cases by skilful call-centre calls. In real terms, only a small - albeit relevant in view of the size of the customer base - number of customers were threatened with disadvantages due to the weak authentication.

The fines imposed are still considerable and it is therefore not advisable to take data protection violations lightly. If one follows the words of the court, the amount of turnover continues to be important in addition to the offence-related circumstances. In relation to the culpability of the offence, the more clearly the severity of the data protection offence can be assessed on the basis of the offence-related circumstances, the less important the turnover becomes - in either direction. However, the type and manner of the data protection violation can undoubtedly also trigger higher fines. Consider, for example, a scenario in which an attacker gains access to a large amount of (also sensitive) personal data by technical means. He would then not have to take a circuitous route via individual calls with the specification of certain authentication data in order to obtain the data. The assessment of this data protection violation would be completely different.

The entire case has attracted considerable attention and has certainly opened up new perspectives in the assessment of fines. It remains to be seen how further fine practice will develop. However, companies should not simply conclude that punishments will be milder. It was the specifics of the individual case that led to the significant reduction of the fine. Other circumstances will lead to other assessments.