On January 27, the Hellenic Data Protection Authority (DPA) imposed a fine of 6 million euros and 3.25 million euros to the mobile phone operator Cosmote and its parent company OTE, respectively. The companies were involved in a data breach caused by a cyber-attack occurred in September 2020 concerning the leakage of subscriber call data.
The decision is noteworthy for two reasons. First, it explores the interplay between the General Data Protection Regulation 2016/679 (GDPR) and the Greek Law on the protection of personal data and privacy in the electronic communications sector (i.e., L. 3471/2006). Additionally, it indicates that even though GDPR has been in place for almost 4 years, organisations are still not confident in executing day-to-day data protection practices. For example, it remains unclear whether the conduct of a Data Protection Impact Assessment (DPIA) is necessary or what form and content it should have. Furthermore, the provision of clear and sufficient information to data subjects by means of privacy notices has proved to be a challenging obligation for data controllers.
This article describes the shortcomings of Cosmote’s approach and provides advice on how organisations can ensure a more robust programme is in place.
Background of the Case
Cosmote subscribers’ call data stored in Cosmote’s server was transferred from its server to an IP address of a Lithuanian hosting provider. After an internal investigation, Cosmote discovered that it was the same IP address that hacked the website hosted in OTE Group’s infrastructure. During the hack, the attacker gained access using the password of an employee of OTE Group (obtained from a LinkedIn data breach). Then, the hacker executed queries on Cosmote’s Big Data system, from which he exported the file with the subscriber call data.
In the context of the investigation, the Greek DPA examined the legality of record-keeping of the call data and its retention period. Cosmote reported that it retained call data for 3 months as part of its customer service policy for troubleshooting purposes. At the end of this period the call data was enriched with personal data of the subscribers (namely information about customer’s programme, gender, or age). According to Cosmote, identifiable data was then removed from each customer’s record to create an anonymised dataset that was kept for a further 12 months. This enabled the company to retrieve statistical information about the optimal design of their mobile network services.
Ruling of the DPA
The DPA held that Cosmote infringed:
- Articles 5 and 6 of the Greek data privacy law (L. 3471/2006) for retaining data that was not absolutely necessary to be kept for the purpose of troubleshooting. Additionally, the three-month period exceeds the expected period for fixing any technical problems and potential failures.
- Article 12(1) of the Greek data privacy law (L. 3471/2006) because the data security measures were not sufficient to deter the cyber-attack
- Articles 5(1), 13 and 14 of the GDPR as Cosmote failed to comply with its transparency obligations to provide clear and understandable information to individuals through its privacy notice and/or contract. Individuals were not informed about the three-month storage of their data as well as the storage of the enriched anonymised file for 12 months.
- Article 35(7)) of the GDPR because the DPIA was not complete and carried out according to the provisions of GDPR
- Article 25 of the GDPR because Cosmote had not effectively implemented its anonymisation technique and the processed data was, in fact, pseudonymised. As a result, Cosmote was processing personal data and this processing was subject to the GDPR.
The DPA ruled that OTE was fined because it violated its obligation to implement adequate security measures (Article 32 of the GDPR) as regards the infrastructure utilised in the context of the data breach.
Recommendations
This case demonstrates the need for organisations to consider the following, in order to avoid being in similar circumstances:
- Put in place robust password procedures and raise the awareness of your personnel. Users’ access credentials (i.e., a username and password or passphrase) are particularly significant for attackers. Personnel should refrain from using personal passwords.
- Establish detailed retention schedules and make sure you demonstrate the reasons for the determination of such periods.
- Keep your privacy policies updated and provide all the necessary information to data subjects trying to be as accurate as possible.
- Identify your role and the role of your partners and put in place the appropriate form of agreement or legal act.
- When anonymising personal data, make sure you have reduced the likelihood of identifying individuals to a sufficiently remote level so that the information is effectively anonymised.
- Identify where additional support is required to address areas of non-compliance.
Conclusion
Any organisation or business collecting and processing personal data should ensure that their data protection practices are being consistently revised and kept up to date with the latest guidelines.
Trilateral’s Data Governance and Cyber Risk Team has significant experience consulting organisations and other entities in advanced data management and compliance. We also support experts working within research, businesses or regulatory bodies to advance knowledge and practice on responsible data practices. For more information, please feel free to contact our advisers, who would be more than happy to help.
