27k unique visitors in the last 3 days

Spanish Telcos Use Courts to Fight GDPR SIM Swap Fines

The peculiar way Spain has applied data protection law to SIM swap fraud deserves further scrutiny following court appeals from both Digi and Movistar.

Lawyers working for Spanish multiplay provider Digi will be congratulating themselves after they successfully persuaded the Audiencia Nacional, the National Court, to relieve them of needing to pay EUR340,000 (USD369,000) for three fines issued by Agencia Española de Protección de Datos (AEPD), the Spanish data protection authority. However, rival Spanish telco Movistar will be feeling aggrieved because they appealed three AEPD fines worth EUR900,000 (USD978,000) to the same court, only to lose their appeal. Trying to get an AEPD fine reversed in court is risky because the appellant cannot take advantage of discounts offered for early settlement of their fines. So why are Spanish telcos making a habit of fighting data protection fines in court, and how did Digi succeed when Movistar failed?

Spain’s Unusual Way of Applying GDPR Rules to SIM Swaps

The purpose of the European Union’s General Data Protection Regulation (GDPR) is to harmonize data protection rules across Europe. But as GDPR needs to be written into national law, and then a national agency is tasked with interpreting and enforcing that law, there are multiple ways to introduce inconsistencies into the way rules are applied in different countries. Consistent data protection rules should help businesses with international interests, such as telcos. In practice, Spain has adopted a highly unorthodox interpretation where SIM swap frauds are routinely treated as data protection violations because they involve somebody gaining unauthorized access to a customer’s phone service without having genuine credentials. Spanish telcos routinely get hit with a standard fine for each case, even though they were also victims of a deliberate deception.

The consequence of the AEPD interpretation of how to apply GDPR to SIM swaps is illustrated by the pattern of GDPR fines issued. 31 countries have adopted GDPR, but more than 1 in 20 of all known GDPR fines across the whole of Europe have been issued by the AEPD against Spanish telcos.

Movistar’s Appeal and Why It Failed

Movistar argued they were not responsible for three SIM swaps which resulted in fines totaling EUR900,000. In each instance, the identity of the person who received the replacement SIM was checked by an external firm acting as a distributor instead of being performed by Movistar itself. A different outside firm was involved in each instance. SIM swaps were conducted in person at stores run by Catphone and Thader, whilst Atento was duped by a fraudster who contacted them over the phone. Movistar stated that each distributor had failed to follow the specified protocols for validating a customer’s identity.

The National Court rejected Movistar’s appeal, reasoning that Movistar still retained responsibility for validating the identity of anyone receiving a replacement SIM even when an external agent is involved in its supply.

Digi’s Appeal and Why It Succeeded

Digi has received 12 fines from AEPD relating to SIM swaps, worth EUR970,000 (USD1.05mn) in total. AEPD can impose larger fines if it treats a history of past violations by the same organization as an aggravating factor, and the most recent fine received by Digi was increased to EUR200,000 (USD217,000) instead of the EUR70,000 (USD76,000) penalty that is more typically applied. Digi appealed all 12 fines, and hence lost the opportunity to secure a discount by paying any of them early. None of the appeals persuaded the court that the fines were not merited by the circumstances of each SIM swap. However, Digi’s lawyers then argued that the company was losing money at such a rate that it could not afford to pay all of the fines; my translation is given below the original Spanish.

En conjunto, las sanciones impuestas a dicha parte por la Agencia Española de Protección de Datos ascienden a un total de 970.000 euros. Y la sociedad recurrente teniendo presente la cuenta de pérdidas y ganancias a 30 de noviembre de 2023 (pendiente de auditoría), se puede confirmar que incurre actualmente en unas pérdidas como resultado contable de 18.327.000 euros a 30 de noviembre de 2023.

Altogether, the sanctions imposed on said party by the Agencia Española de Protección de Datos amount to a total of 970,000 euros. And the appellant company, taking into account the profit and loss account as of November 30, 2023 (pending audit), it can be confirmed that it currently incurs losses as an accounting result of 18,327,000 euros as of November 30, 2023.

Digi asked for 10 of the fines to be suspended. The court agreed to suspend three fines instead, reducing the amount that needed to be paid by EUR340,000 (USD369,000).

Conclusions

The importance of respecting a person’s privacy does not change depending on whether that privacy was violated by a profitable business or a loss-making business. Spain is an outlier because its data protection authority rigidly applies penalties for SIM swap frauds when other countries do not consider them to be violations of data protection law. The very rigidity of their approach implies there will be consistent treatment for all, which makes it shocking that the courts would simply decide to set aside some penalties based on an arbitrary assessment of how much a company can afford to pay.

Arbitrary and inconsistent rules do not deliver good results. The Spanish authorities are already generating a steady income through an unusual interpretation of GDPR. Waiving penalties based on a company’s ability to pay makes this interpretation look more like an excuse to generate revenue for the state than a genuine attempt to tackle crime.

The Spanish government recently launched a public consultation about how to tackle telecom scams that was also unusual because the detail was very thin compared to equivalent consultations run by other countries. Their expectation is presumably that experts working in industry should fill in the blanks for the government. The timing of the consultation suggests the Spanish government might have benefited from somebody catching the short flight to London to participate in the Global Fraud Summit that recently drew senior representation from as far afield as the USA, Japan and Australia, in addition to ministers from Germany, France and Italy. Spain did not send a ministerial delegation. Successfully fighting fraud involves a lot of cooperation, both between the private sector and the public sector, and also between countries. If Spanish authorities will not align their practices with neighboring countries, if they ignore opportunities to collaborate on fraud prevention, and if they take an antagonistic attitude to the private sector, then I fear that ordinary Spaniards will be put at more risk than they should.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email