Volley of GDPR fines for telecom sector show how Big Tech dodges a bullet

A clutch of large and small fines against telecom companies for breaking the EU's strict General Data Protection Regulation stands in sharp contrast to US tech giants, which have received just two fines despite being, in the eyes of many observers, the law's real target.

Vodafone was fined 8.2 million euros ($9.7 million) in Spain earlier this month, of which 6 million euros was for violating the GDPR, bringing the total fines handed to the telecom sector to almost 70 million euros since the law came into force in May 2018.

The handful of multimillion-euro fines imposed on telecom companies — the largest was 27.8 million euros — have been supplemented by a steady drumbeat of smaller penalties prompted by consumer complaints: Vodafone Spain alone has been handed 43 GDPR fines in total, some as little as 3,000 euros and all but three below 100,000 euros.

This pattern, observed in data gathered by MLex, arguably shows the GDPR working as intended, with national regulators able to impose large or small fines as they see fit, with few constraints. But it’s only possible because telecom companies’ corporate structures divide cleanly along national lines.

Tech giants, by contrast, tend to operate in Europe through a single subsidiary based in Ireland, except for Amazon which is in Luxembourg. That puts them under the umbrella of the GDPR’s much-criticized "one-stop shop" mechanism (see MLex comment here), which has held up major cases and entirely extinguished smaller ones.

There has been just one fine against a Big Tech company under the one-stop shop, of 450,000 euros against Twitter. An earlier penalty of 50 million euros against Google avoided the mechanism, rushed through by the French data protection authority in January 2019 before Google had completed the paperwork to formally establish itself in Ireland.

The Google fine, which was upheld on appeal, shows European regulators’ appetite to go after Big Tech. And the half-dozen open cases could yet yield massive fines: Facebook has set aside more than 300 million euros, and its subsidiary WhatsApp more than 77 million euros.

For now, though, all of these investigations are stuck with the Irish Data Protection Commission. And when it comes to the tech sector, small fines led by consumer complaints — a hallmark of the enforcement pattern against telecom companies — are nowhere to be seen.

— Telecom fines —

Apart from the one-off Google fine, the telecom sector's accumulation of GDPR fines to almost 70 million euros is substantially more than the next nearest sector, retail, at just under 50 million euros — and that total was swollen by one German fine of 35 million euros against clothing chain H&M for surveillance of its employees.

By definition, telecom companies have access to the contact details of all their customers. This can lead to temptation to use these datasets for marketing purposes, as well as presenting a vulnerability for the data being stolen or accidentally mishandled.

The sector’s largest fine, of 27.8 million euros, was given to Telecom Italia, or TIM, by the Italian authority in February 2020. TIM was fined for unlawful data processing, an aggressive marketing strategy, invalid collection of consent and excessive data retention.

In July 2020, Wind Tre — another Italian telecom operator — was fined 16.7 million euros for contacting customers through phone calls, text messages, and voicemail messages without having secured their consent.

Still in Italy, Vodafone was fined 12.3 million euros last November for multiple GDPR violations. It used fictitious phone numbers for telemarketing and processed major databases of personal data acquired from third-party companies without securing the necessary consent from data subjects, the watchdog said.

This month’s Spanish penalty against Vodafone — 6 million euros for GDPR violations, 2 million euros for breaches of telecom law and 150,000 euros for breaking e-commerce rules — is the highest ever issued in Spain, exceeding a 6 million-euro penalty handed to Caixabank in January.

For the GDPR violations, the Spanish authority found that companies working for Vodafone contacted individuals who had opted out of its marketing campaigns via e-mail, phone, and text. Vodafone also didn’t ensure the necessary safeguards for international data transfers outside the EU, including to Peru.

— Proportionality —

The Vodafone Spain fine was one of 10 handed to telecom companies across the EU in the first quarter of this year, MLex’s data show, continuing the high rate of both small and large GDPR fines against telecom companies since 1&1 Telecom was fined in Germany in December 2019.

The 1&1 Telecom fine, originally 9.55 million euros, was cut to 900,000 euros in court late last year, establishing a requirement on regulators to issue sanctions proportionate to the violation rather than always reaching for the biggest possible penalty.

For Vodafone Spain, the regulator justified this month’s high fine by pointing to the scale of the violation: The company made about 200 million marketing calls over two years, prompting 162 complaints. Clients who had explicitly opted out of marketing were still contacted, the authority found.

The 1&1 Telecom court decision, and the huge range in sizes of the GDPR fines issued against telecom companies, both show a certain maturity of enforcement. That is still sorely lacking in Big Tech, where the action is limited to a half-dozen big cases in progress.

The sole one-stop shop fine against a tech giant — Twitter’s 450,000 euros — came only after strong disagreements among national regulators on how large the fine should be. The head of the Irish regulator, Helen Dixon, has expressed her exasperation at the “cumbersome and slow” process.

For privacy campaigners, that’s a major disappointment. The GDPR was meant to tackle privacy abuses in new digital markets that earlier legislation couldn’t capture. Instead, it appears to work best with the previous generation of communications companies.

Check out the LexisNexis GDPR Fines, Penalties & Enforcement Tracker, which draws on the MLex data referred to in this story.