20.5k unique visitors in the last 3 days

Telco Loses Appeal over €200,000 GDPR Fine for Christmas Day SIM Swap

Spanish telcos endure a much harsher interpretation of data protection law than their European peers.

Telecoms is a global business and the methods used to defraud telcos and their customers do not vary much from country to country. This contrasts sharply with the great variety found in the national laws that prohibit these crimes. Even in situations where the rules are meant to be the same across several countries, as is the situation with the European Union’s General Data Protection Regulation (GDPR), the interpretation and enforcement of these rules can be markedly inconsistent. This is demonstrated by Spain’s four leading telcos receiving almost as many GDPR fines as the total number of GDPR fines received by all telecoms, media and broadcasting organizations across all the other 30 countries that have adopted GDPR. A recent case where mobile operator DIGI failed in their appeal against a EUR200,000 (USD217,000) fine for issuing a replacement SIM to a fraudster illustrates what can happen if data protection diktats are taken to a logical extreme.

Facua, a Spanish consumer activist nonprofit, filed a GDPR claim on behalf of an anonymous consumer on September 14, 2022. The claim asserted that almost 9 months earlier, on December 25, 2021, the anonymous consumer had unspecified amounts taken from their bank account as a consequence of DIGI issuing a replacement SIM for their phone service to a fraudster. Ironically, the fraudster who impersonated the actual customer sent Whatsapp messages to DIGI saying they needed a replacement SIM because the phone had already been compromised and was being used to steal money from the customer’s account with Bizum, a Spanish bank. DIGI issued a new SIM on the same day. The substance of Facua’s argument is that a SIM card is personal data, per the definitions in GDPR, because it is used to authenticate a phone user, and that DIGI had not performed sufficient checks to verify the identity of the person who requested and obtained the replacement SIM. Spain’s data protection agency, Agencia Española de Protección de Datos (AEPD), rejected the claim 6 weeks later, prompting Facua to appeal that decision. Facua’s appeal was successful, resulting in the EUR200,000 fine for DIGI and the telco instigating a second appeal which they lost.

Before we explore the legalistic reasoning applied in the AEPD’s decisions, let us step back and look clearly at the risk dynamic when DIGI issued the replacement SIM. On the one hand, if DIGI issues a SIM without demanding sufficient proof of an individual’s identity then criminals can use control of the victim’s phone service to obtain access to other accounts belonging to that victim. On the other hand, if DIGI places unreasonable demands on somebody whose phone has already been compromised then they will delay the restoration of the service to its rightful owner, allowing more time for criminals to steal from other accounts belonging to the same victim. There is a downside to either toughening or loosening the standards applied when authenticating somebody requesting a new SIM. Tougher standards make it less likely that the telco will issue a SIM to a fraudster, but they also increase the risk that a genuine customer will suffer losses because they will need to provide more evidence of who they are, and this is likely to increase the time before they recover control of their account. In this specific instance, the request for a new SIM occurred on Christmas Day, when it would be especially onerous to insist upon a customer presenting identification documents in person at a DIGI store before they could regain control of their phone service.

Despite rejecting Facua’s initial claim, the appeal saw the AEPD apply some strangely simplistic reasoning about what constitutes sufficient verification of a customer’s identity. Hardly any written explanation is given, but AEPD’s position is seemingly that the issuance of a SIM card to the wrong person is itself proof of insufficient identity checks being performed. Taken at face value, this would mean that a Spanish telco breaks the law whenever it is tricked into issuing a SIM by a fraudster, irrespective of the sophistication of the fraudster’s methods. Perhaps realizing how tendentious this line of reasoning is, AEPD then proffers a second argument that DIGI’s stated procedures, at the time when the SIM was issued, require the presentation of physical ID documents at the location where the new SIM would be issued. DIGI was afforded no leeway to apply a different standard in exceptional circumstances, such as the request for a new SIM occurring on a public holiday, or the request coming from an individual who claims to have already lost control of their phone service to a criminal. This officious line of reasoning is especially problematic in Spain, whose police have acknowledged the country had an unusually severe problem with pickpockets that target the theft of mobile phones.

It then becomes even harder to follow the reasoning applied to the AEPD’s calculation of the penalty imposed on DIGI. AEPD cites three earlier cases in which DIGI had been fined EUR70,000 (USD76,000) each time for wrongly issuing replacement SIMs. Instead of following their own precedent, AEPD decides that the previous fines show DIGI is failing in its duty of care, so imposes the maximum penalty allowed in Spanish law for cases like these, which is EUR200,000. AEPD made this decision on September 20, 2023, and the decision was communicated to DIGI five days later. DIGI immediately appealed, and a decision in the second appeal was reached two weeks ago.

DIGI’s appeal argued that liability was being applied too strictly. Put simply, they said AEPD’s interpretation of the law would mean that a telco would always be deemed at fault even if a fraudster presented flawless identity documents in person. AEPD responded by citing case law that predates GDPR but which implies DIGI remains strictly liable for failures to correctly authenticate somebody presenting themselves as a customer, without regard to whether DIGI correctly followed a reasonable and pre-established procedure for performing this task. AEPD further denied that there were any mitigating circumstances that would justify a reduction to the fine. DIGI argued that the data compromised did not fall into one of the ‘sensitive’ categories per GDPR, so it was not appropriate to apply the maximum legal penalty in this instance; AEPD responded by asserting that violations involving sensitive data justify higher penalties but that does not imply violations that do not involve sensitive data must receive lesser penalities. DIGI also observed they gained nothing from this violation of GDPR; AEPD followed a similar line of reasoning about profits from a violation justifying a larger penalty but the absence of profit not providing any extenuation.

The decision in the second AEPD appeal includes two profoundly discordant claims in close juxtaposition. AEPD says they do not attribute all responsibility for the SIM swap to DIGI, presumably because that would imply literal fraudsters have no responsibility for their crimes. But AEPD followed this up by stating:

DIGI en su condición de operador deber ser más exigente a la hora de proporcionar un duplicado de una tarjeta SIM. Las verificaciones de identidad deben ser exhaustivas para evitar problemas de suplantación de identidad.

DIGI, as an operator, must be more demanding when it comes to providing a duplicate SIM card. Identity checks must be thorough to avoid identity theft issues.

I see no balanced risk assessment that would support this conclusion. AEPD effectively ignores the responsibility that a mobile operator has to a customer who has already lost their phone. More onerous identity checks place more burden on the customer as well as the telco. Identity theft also occurs when a phone or SIM card is stolen from its rightful owner, and not just when somebody tricks a telco into issuing a replacement.

It would be pointless to argue about whether AEPD has followed Spanish law correctly; lawyers are always ultimately proven right, even when some of them have been proven wrong. But there can be little argument over the eccentricity of Spain’s data protection decisions with respect to SIM swap fraud. Maybe, in several decades from now, some trans-European lawyers will align the application of GDPR to Spanish SIM swaps with the application of GDPR to SIM swaps elsewhere. In the meantime, Spain will remain an unusually hostile data protection environment for telcos, with negative consequences for any Spanish consumer who loses their phone or has it stolen.

AEPD’s decision in the first appeal can be downloaded from here, and the decision in the second appeal can be downloaded from here.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email