view all news & events

13.11.2020

Violations of the DS-GVO not so bad after all? - Fines are drastically reduced

Instead of the announced record high fines, the ICO imposed significantly lower fines on British Airways and Marriott. The Bonn Regional Court drastically reduces the fine imposed on 1&1. What happened?

ICO imposes significantly lower fines on British Airways and Marriott

In July 2019, the UK data protection authority ICO announced the highest fine ever imposed in Europe on British Airways (€ 200 million) and the Marriott hotel chain (€ 110 million) (SKW Schwarz reported). However, these fines have now been reduced considerably - € 22 million and € 20.3 million respectively.

Under the General Data Protection Regulation (GDPR), national data protection authorities can impose fines of up to € 20 million or 4% of the previous fiscal year's total worldwide annual turnover, whichever is the higher. The financial situation of the company may also play an important role in determining the amount of the fine. Under the so-called Regulatory Action Policy, the data protection authority ICO is obliged to take into account the economic consequences for the company when determining the amount of the fines, in particular whether the company that has committed a data protection violation can afford the fine.

British Airways and the Marriott hotel chain have been shown to be among the companies severely affected by the Corona pandemic. As a result, the data protection authority ICO took into account the economic consequences of the Covid 19 pandemic and significantly reduced the fines imposed on the two companies. In his fine proceedings against the AOK Baden-Württemberg, the State Commissioner for Data Protection and Freedom of Information also took particular account of the current challenges facing the AOK as a result of the current corona pandemic.

In addition to the current corona pandemic, other factors led the data protection authority ICO to mitigate the high multi-million fines imposed on the airline British Airways and the Marriott hotel chain. The authority highlighted the willingness of both companies to cooperate and emphasized the considerable efforts of both companies to upgrade their data security and IT security measures.

Bonn Regional Court reduces fine against 1&1 by 90 %

The case was different with the fine imposed on 1&1 Telecom GmbH. On December 9, 2019, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) imposed a fine of € 9.5 million on the telecommunications service provider for a violation of Art. 32 GDPR because the authentication procedure for telephone information did not correspond to the state of the art.

1&1 Telecom GmbH filed a complaint against the fine notice and justified the plaintiffs by stating that the fine was disproportionate and that the assessment would violate the German constitution. In its ruling of 11 November 2020, the Bonn Regional Court confirmed a violation of Art. 32 GDPR. However, the fine was drastically reduced to € 900,000.00.

In the case, the Regional Court of Bonn saw only a slight, non-intentional violation of Art. 32 GDPR in an individual case for which a fine in the millions was not appropriate. Numerous mitigating circumstances were included in the judgment. For example, no special categories of personal data were affected and there was no reason to fear a mass release of data. The fault of the telecommunications service provider was to be considered minor. In view of the authentication practice practiced over years, which had not been objected to until the fine was imposed, there was a lack of the necessary awareness of the problem as well. As a result, the Bonn Regional Court drastically reduced the amount of the fine.

Moreover, the Regional Court of Bonn answered another key question of the proceedings - can fines be imposed on companies at all, irrespective of the provisions of §§ 30, 130 OWiG - in the affirmative. The judgement is thus based on the validity of the European understanding of a company - the imposition of a fine on a company would not depend on the fact that the concrete infringement by a manager of the company was determined. In the opinion of the Regional Court of Bonn, the applicable European law - in contrast to the German law on administrative offences - does not impose a corresponding requirement.

What are the practical consequences of the three reductions shown above?

Although the fines have been drastically reduced in the cases named, companies should not back out now. High fines must also be expected in the future for violations of the GDPR. However, controllers can rely on current economic developments and questions of fault being taken into account when calculating the fine.

The three proceedings against the airline British Airways, the hotel chain Marriott and the telecommunications service provider 1&1 clearly show that deficiencies in data security are one of the most frequent reasons for data protection authorities to initiate fine proceedings. Companies should therefore regularly review their data security concepts and make improvements where necessary. A regular review of the technical and organizational protective measures in accordance with Art. 32 GDPR can also help to minimize the risk that the competent data protection supervisory authority detects a violation of the provisions of the GDPR and imposes a fine.

Further it shows up that companies are well advised to proceed against imposed/announced fines. The example of the telecommunications service provider 1&1 shows that the fine concept of the data protection conference of 14 October 2019 (SKW Schwarz reported) is under scrutiny. The Regional Court of Bonn criticized that a purely sales-oriented fine concept disregards essential assessment points. As a result, the Federal Data Protection Commissioner, Kelber, also declared during the hearing that the fine concept of the Data Protection Conference would be revised.

The Data Protection Litigation Task Force of SKW Schwarz supports companies in all questions regarding threatened or imposed fines, both in out-of-court negotiations and in representation before state courts, up to the CJEU. In addition, the task force specializes in defending against material and immaterial claims for damages as well as defending consumers' registration actions against collection agencies and credit agencies.

Authors

Oliver Hornung

Dr. Oliver Hornung

Partner

visit profile
Franziska Ladiges

Franziska Ladiges

Counsel

visit profile