Germany hands Vodafone $51 million fine over data privacy violations

German data privacy regulators on Monday fined the multinational telecommunications company Vodafone €45 million ($51.2 million) for what authorities called “malicious behavior” by third-party sales agents and for security flaws in its authentication processes.

The German data privacy regulator, Federal Commissioner for Data Protection and Freedom of Information (BfDI), alleged that “partner agencies” working with Vodafone arranged fraudulent deals with customers on the company’s behalf, including by using fictitious contracts or changing contract terms in ways which hurt clients.

As a result, the agency fined the company €15 million ($17.1 million) because it had not “adequately checked and monitored partner agencies working for it” under the terms of Europe’s tough General Data Protection Regulation (GDPR), according to a BfDI press release.

The regulator fined the telecom company an additional €30 million ($34 million) for what it called security flaws in the authentication process for customers using the company’s online portal and hotline.

“The discovered authentication vulnerabilities allowed, among other things, unauthorized third parties to access eSIM profiles,” the press release said.

A Vodafone spokesperson said in a statement that the partner agencies’ actions were due to “insufficient data protection checks.” 

The statement said the company “regrets that customers were negatively affected” by the weaknesses in its authentication process.

“The systems and measures in place at the time ultimately proved to be insufficient,” the statement said.

“Under Vodafone's new management, data protection is a top priority throughout the company,” the statement said. “Vodafone has analyzed and fundamentally revised its systems and processes.”

BfDI said the company has strengthened its protections since the case began, ensuring similar problems will not occur in the future.

Germany’s federal data protection commissioner Louisa Specht-Riemenschneider said in a statement that her motivation is to “ensure that data protection violations do not occur in the first place.”

“Companies that want to comply with data protection law must be empowered to do so,” the statement said. “Data protection is a factor of trust for users of digital services and can therefore become a competitive advantage.”

European Union data privacy regulators have intensely scrutinized companies under the GDPR and have recently fined Meta €1.2 billion ($1.37 billion) for alleged improper data transfers and Uber €290 million ($330 million) for allegedly transferring driver data to the US without appropriate protections.