As of today, 12 DPAs (of which three are different German DPAs) have imposed 50 fines on media and telecom companies amounting to a total of around EUR 100 million. The Spanish DPA has imposed 31 fines and was thus the most active DPA in the EU. Fines against Google alone amount to EUR 57 million. Telecom providers faced 43 out of 50 fines, amounting to a total of almost EUR 40 million.
Let's take a closer look
- The French CNIL imposed the highest fine, of EUR 50 million, on Google. The authority based the fine on two aspects: (i) Google did not inform users in a transparent way about data processing operations for setting up a Google account using the Android system and (ii) Google did not obtain users' valid declarations of consent for marketing measures.
- In Germany, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed the highest fine, of EUR 9.55 million, on telecom provider 1&1. The authority based its decision on insufficient technical and organisational measures and hence insufficient data security. A caller was able to obtain extensive personal customer data from the company's customer service department simply by stating a customer's name and date of birth.
- The Italian DPA fined telecom provider TIM EUR 27.8 million, which is the second highest fine in this sector. The decision was caused by the company's unsolicited commercial communications without data subjects' declaration of consent or despite the fact that they had registered their objection against such communication in the public register. Other shortcomings refer to incorrect and non-transparent information on data processing within the company's apps and invalid methods of obtaining consent.
- It is noteworthy that in the majority of cases the authorities levied fines for insufficient legal bases for processing operations and for insufficient data security.
Telecom providers and media companies are generally subject to heightened scrutiny, not least because they handle sensitive communication data. Companies must thus ensure that their processing operations are lawful. For example, data processing for marketing communications will most likely require data subjects' consent. Declarations of consent are only valid if they are freely given, specific, informed and unambiguous. In addition, every controller and processor must ensure that sufficient data security measures have been implemented. A solid starting point are industry standards and certifications, such as IT security standard ISO/IEC 27001. However, it will not be sufficient for telecom and media companies to rely on the status quo with regard to such measures. Companies must overhaul and update the measures on a regular basis. Companies should also apply the "privacy by design" principle, i.e. automatic consideration of privacy in their business operations and new products.