The Media, Telecoms and Broadcasting sector is the most rigidly scrutinised and fined sector: it is not only by far the sector with the highest aggregated amount of fines (EUR 120 million (+20 million in comparison to the ETR 2020) resulting from 110 fines across 15 jurisdictions (+3 in comparison to the ETR 2020)), but it also features 2 fines in the overall top 3 fines (EUR 50 million against Google in France and EUR 27.8 million against TIM in Italy). In addition, DPAs have imposed 4 out of the overall top 10 fines on telecom providers, amounting to EUR 64 million alone, in all 4 cases because of unlawful direct marketing measures. The latter finding is representative of the fact that most fines in this sector were imposed on telecom providers.
Let's take a closer look:
- The French DPA’s (CNIL) fine from 2019 against Google (ETid-23) in the amount of EUR 50 million remains the highest of all fines. The CNIL based its fine on Google’s insufficient transparency towards users and a lack of users’ consent for marketing measures.
- The Italian DPA Garante has levied 3 significant fines against telecom providers: EUR 27.8 million against TIM (ETid-189), EUR 16.7 million against Wind Tre (ETid-336) and EUR 12.3 million against Vodafone Italy (ETid-438). All 3 fines concerned unsolicited marketing communications, i.e. data processing operations without data subjects’ prior valid consent. The violations were in each case unveiled after hundreds of data subjects had filed complaints against the marketing measures.
- The German Federal DPA’s (Federal Commissioner for Data Protection and Freedom of Information, BfDI) fine against telecom provider 1&1 (ETid-128) was remarkably reduced by 90% in court proceedings: The BfDI had initially imposed a fine of EUR 9.55 million, based on 1&1’s insufficient data security in their call centre, leading to the disclosure of a customer’s data. On 1&1’s appeal, Bonn Regional Court found that the fine was unreasonably high and reduced it to EUR 900,000. The Court held that 1&1’s culpability and the severity of the violation have to be classified as minor.
- The Swedish DPA (Datainspektionen) fined Google EUR 7 million (ETid-232) for failing to comply with data subjects’ requests to have their data removed from the search results. The Administrative Court of Stockholm rejected Google’s appeal against the fine but reduced it to EUR 5 million.
In most cases, DPAs impose fines because companies’ data processing operations cannot be based on sufficient legal bases. In particular, DPAs in Italy and Spain have recently underlined that they are tackling telecom providers’ unsolicited marketing communications as an unlawful part of their wooing of customers. Companies in the Media, Telecom and Broadcasting sector must typically obtain data subjects’ consent prior to communicating marketing materials by phone or email. In addition, when obtaining data subjects’ consent, companies must be particularly cautious and transparent: declarations of consent are only valid if they are freely given, specific, informed and unambiguous.
Apart from insufficient legal bases, DPAs still impose numerous fines because companies do not implement sufficient data security measures. Standard measures must include physical and system access controls, data pseudonymisation, availability controls and measures to ensure quick data restorability. All security measures must also be overhauled on a regular basis and tailored to the specific data processing scenarios. In particular, media and telecom companies’ large-scale processing operations require robust safety measures to bolster data subjects’ data confidentiality and integrity.