Wind Tre’s GDPR Fine: Real Deterrent or Cost of Doing Business?

Hyun Choi Brown University

Abstract discussion of inadequate nature of marketing contact S.p.A. is an Italian service provider of mo- consent given through Wind Tre’s apps, MyWind and bile phone, telephone, and Internet. In July 2020, My3. In many cases, revoked consent was not properly Wind Tre was fined 16.7 million Euros for its viola- recorded, and the same consumer was contacted re- tion of the GDPR in its data processing activities for peatedly. The most egregious violations are the in- direct marketing. Italy has recently been ramping up stances where customer consent was given to other its enforcement of the GDPR with relatively high companies, and this data was acquired illegally by fines. However, the fined amounts may not be enough Wind Tre. to truly deter future violations. 2.2. Wind Tre’s Negligence 1 Background While it is indisputable that the data subjects at hand are the consumers who were contacted by Wind Tre,

and the data controller was Wind Tre itself, the com- Telemarketers seem to be an omnipresent nuisance to pany also did not properly check that its data proces- people around the globe. Being the subject of numer- sors were acting in compliance with the GDPR. The ous complaints to Garante per la protezione dei dati report states that “subjects who carry out a promotion- personali (the Italian Data Protection Authority under al activity on their own have been appointed as data the GDPR), Wind Tre S.p.A., an Italian telecommuni- processors,” but there were inconsistencies that should cations company, was investigated for violations of the have caused Wind Tre to undertake more stringent GDPR in carrying out its direct marketing activities. checks on its data processors. Even after a serious vio- The investigation found promotional activity through lation was noticed, Wind Tre only sent a “simple re- text messages, e-mails, faxes, telephone calls, and au- minder for a more careful application of the rules,” tomated calls made by Wind Tre with varying degrees indicating the company’s wanton neglect of the gravity of prior consent. of the situation. Simply put, if Wind Tre actually cared about complying with the GDPR to any degree, these violations would not have occurred. The company re- 2 GDPR Violations ceived an injunction from Garante in 2018 for similar violations of the GDPR. Clearly, company executives 2.1. Lack of Adequate Consent did not take the GDPR as seriously as they should In the Garante investigation, Wind Tre was only able have or thought that the cost of a fine would be out- to demonstrate customer consent to being contacted weighed by the potential benefits. for a portion of marketing target consumers. Many These violations occurred over a significant period of instances of marketing activity were performed with- time. While Garante only notes the violations starting out any consent at all. Many others were made “on the on May 25, 2018, when the GDPR came into full basis of consent to be considered unsuitable.” Some force, it is apparent that customer data and consent consent agreements dated back to before the stringent were not properly obtained since before that date. requirements of the GDPR, while some others were acquired from business partners. There is also a long 2.3. Financial Penalty we know that the company’s total revenue exceeds 6 In deciding the financial penalty, Garante found signif- billion Euros, with profits exceeding 2.8 billion Euros. icant factors weighing against Wind Tre. These factors In short, the fine simply does not seem sufficient to included the “significant duration of the violations,” properly deter other companies (or even Wind Tre it- malice found in obtaining consent, negligence found in self) to properly adhere to the GDPR. Wind Tre has the “inadequate implementation of the fundamental shown itself to be a repeat offender and intentionally principles of privacy by design,” and previous sanc- malicious in its flagrant disregard of the law. And yet, tions levied upon Wind Tre in past years. It was appar- its fine amounts to 0.32% of annual revenue, accord- ent that Wind Tre did not learn its lesson from the pre- ing to Garante’s calculations. Even though the tele- vious time it was the recipient of an injunction in communications industry is not known for its large 2018. Accordingly, Garante fined Wind Tre a total of profit margins, 16.8 million Euros is almost a rounding 16,729,600 Euros, while allowing a payment of just error for a multi-billion-euro company like Wind Tre. I half of this amount to settle this matter if paid within believe it is likely that these relatively small fines for 30 days. [1] Additionally, Wind Tre was ordered to large companies do not act as enough of a deterrent “implement technical and organizational measures from breaking the GDPR. Since Wind Tre’s violations appropriate for the effective control and management had to do with direct marketing activities, it is entirely of its business partners in order to avoid further mar- possible that even after paying the fine, Wind Tre keting violations.” [2] made a profit by breaking the law, especially since the fine could be reduced by 50% by paying it within 30 3 Discussion days.

3.1. Prevention 4 References It seems that there was no clear technical issue with how Wind Tre was utilizing consumer data. It was its attitude toward collecting customer consent (or lack [1] Injunction order against Wind Tre SpA - 9 July thereof) that caused the issues. In the process of col- 2020.https://www.garanteprivacy.it/web/guest/home/d lecting customer data and using it to make marketing ocweb/-/docweb-display/docweb/9435753 communications, Wind Tre did not take the proper [2] 16.7 M Direct Marketing Fine Issued By Italian precautions to ensure compliance. Authority. https://securityboulevard.com/2020/07/e16- If Wind Tre had designed its marketing software such 7m-direct-marketing-fine-issued-by-italian-authority/ that it made sure that whenever an outbound call was [3] Wind Tre Revenue, EBITDA to Decline at Least to made, a record of customer consent was present, the Q4 2018. https://reorg.com/tear-sheet-wind-tre- violations would have been less egregious. However, revenue-ebitda-to-decline-at-least-to-q4-2018- this does not solve the problem for the case where the management-tells-investors-in-meetings-driven-by- customer consent obtained was illegitimate to begin intense-competition-ahead-of-iliad-entry-synergies- with. deriving-from-network-improve/ This incident proves that the GDPR does not provide real protection against companies using personal data illegally if they do not take the most basic precautions to follow the law to begin with. Consumer consent was treated as an afterthought, and the incident where cus- tomer data was illegally obtained further proves mali- cious intent on the part of Wind Tre.

3.2. Is this a real deterrent? The total fine levied was about 16.8 million Euros. From Wind Tre’s financial statements as of 2018 Q2,