They say that machines are getting better than human beings at identifying patterns in data, but you do not need sophisticated data analysis to notice something odd about Spanish telcos and violations of the General Data Protection Regulation (GDPR). Anyone monitoring news about European telcos would have noticed a very simple pattern indeed: there are many news stories about GDPR violations by Spanish telcos, and far fewer stories about GDPR violations by telcos in the 30 other countries that have adopted GDPR. Per records maintained by the GDPR Enforcement Tracker of multinational law firm CMS, Spanish telcos have received over 5 percent of all known fines since GDPR rules came into force in 2018.
Not every GDPR fine is captured by the GDPR Enforcement Tracker because a few countries choose not to publish information about all their GDPR enforcement decisions, but it is nevertheless startling that Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), has issued a total of 103 GDPR fines to Spain’s four leading telcos: Movistar, Orange, Vodafone and Yoigo. To put this into perspective, the number of GDPR fines issued by the data protection agencies of Belgium, France, and Portugal to all kinds of organizations are 40, 37, and 7 respectively.
AEPD is not just picking on telcos; they also issue an unusually large number of fines to other organizations too. In total, AEPD is responsible for issuing 733 of the 2,023 fines listed in the database. This is more than double the 297 fines handed out by the next most prolific authority, Italy’s Garante per la protezione dei dati personali. Only Italy, Germany and Romania have issued more fines than the number which has been received by Spanish telcos.
Although AEPD issues more GDPR fines than other data protection authorities across all sectors, they are also unusually tough on telcos. 22 percent of their fines were issued to businesses working in the telecoms, media and broadcasting sectors, with 14 percent being specifically for the four telcos mentioned above. The other 30 GDPR countries are known to have collectively issued 111 fines to businesses in the telecoms, media and broadcasting sectors, just 8.6 percent of the total number of fines in those countries.
Vodafone has received the majority of fines issued by AEPD to Spanish telcos. 74 GDPR fines have been collectively received by three Vodafone entities active in Spain: Vodafone España, Vodafone Ono, and Vodafone Servicios. Xfera Móviles, which uses the Yoigo brand, has received 17 GDPR fines. Orange’s Spanish unit and Telefonica’s Movistar have received 7 and 5 fines respectively. These latter figures are small compared to Vodafone, but still more numerous than most telcos operating in other European countries. For example, other Vodafone national operations have received 5 GDPR fines in Romania, 2 in Italy, 2 in Greece, 1 in Ireland, and none in the UK.
These statistics relate to the number of separate fines and not their values. Making generalizations about the value of fines is complicated by a few mega fines, and by the way GDPR is enforced against big multinationals according to the country that houses their European headquarters. For example, Ireland has issued both a EUR1.2bn (USD1.3bn) fine and a separate EUR390mn (USD420mn) fine against Meta for violations that will have affected users across the continent. Different data protection authorities also apply markedly different policies to whether they issue fines at the low end of the spectrum. The fines issued to Spanish telcos tend to lie around the median for all GDPR fines. They are most typically worth either EUR40,000 (USD43,000) or EUR56,000 (USD60,000) which indicates a highly standardized approach to the calculation of penalties issued by AEPD.
This data suggests Spain has a data protection regime which is unusually petty. Earlier this year Orange Spain was fined EUR42,000 (USD45,000) because they were deemed to have asked only two questions to authenticate a customer’s identity, instead of the three required by the company’s written policy. This resulted from a lack of clarity over whether asking for a customer’s national identity number is part of establishing the customer’s identity or counts towards authenticating that identity. The real issue in that case was that a customer claimed to have their service hijacked for a short while. Asking the fraudster an additional authentication question need not have changed the outcome; two other authentication questions had already been successfully answered by the same fraudster. So whilst a fine was issued, it will not promote a change in approach that will significantly alter the risk of the specific harm which first prompted the AEPD’s involvement.
The other problem highlighted by this data is that GDPR rules are supposed to be consistently applied across all countries but this is far from being the case. Spain is issuing a lot of fines for trivial offenses that would be ignored by other data protection authorities. The penalties they impose for these offenses are also larger than would be applied by most other data protection authorities. The level of performance of national operating units in an international group like Vodafone or Orange will vary from country to country, but not to an extent that would justify Spain’s relative eagerness to issue fines. Whether you consider Spain to be issuing too many GDPR fines, or other countries to be issuing too few, there are major discrepancies in which kinds of data protection failings are deemed significant enough to merit punishment across Europe.