- A Private Citizen’s Complaint Puts Greece in the “EU Hot Seat”.
- Over the past seven years, the Hellenic Communication Security and Privacy Authority (ADAE) has issued a total of 96 rulings, imposing administrative fines of 8 million euros on telecommunications companies.
- G. Floras: The fines represent only 0.08% of the telecom companies’ profits during this period, allowing them to continue systematically violating privacy.
- When hackers intercepted the data of 12,013,928 users.
The Petitions Committee of the European Parliament is demanding explanations from the Greek government regarding a complaint by a private Greek citizen alleging the systematic violation of mobile phone privacy by telecommunications companies affecting millions of users in the country.
This issue has been repeatedly brought to the attention of the Hellenic Authority for Communication Security and Privacy (ADAE), as evidenced by official documents and decisions. A detailed investigation has also been published by Data Journalists.
Διάτρητο το απόρρητο για εκατομμύρια χρήστες κινητής τηλεφωνίας
Over the past seven years, the ADAE has issued a total of 96 decisions, imposing administrative fines of 8 million euros on telecommunications companies. However, during the discussion of the complaint before the European Parliament’s Petitions Committee, businessman Giorgos Floras, who filed a complaint with the ADAE in March 2017, pointed out that the Hellenic Authority for Communication Security and Privacy only imposes the minimum fines allowed and does not forward its decisions to the judiciary to investigate possible criminal liability. In fact, the fines amount to only 0.08% of the telecom companies’ profits during the same period, allowing them to continue systematically violating privacy without taking appropriate measures.
Following the discussion, the committee asked for explanations from the relevant ministries of the interior and justice, as well as from ADAE, according to a letter sent by the committee’s chairman to G. Floras and published by Data Journalists. This is yet another case in which Greece comes under the scrutiny of Europe.
It should be noted that Mr. Floras’ report has already been referred to the LIBE Committee of the European Parliament. This is the committee that monitors the rule of law in EU member states, including Greece. However, let’s take a look at what happened in the Petitions Committee of the European Parliament when Mr. Floras’ report – his complaint – was examined.
The report and the reply
Last summer, Mr. G. Floras, an entrepreneur, submitted a report to the European Parliament denouncing the systematic violation of the privacy of communications of millions of mobile phone users in our country by mobile phone companies. This is the report number 0449/2024 on alleged violations of communications privacy.
On July 5, the Chair of the Petitions Committee, Dolors Montserrat, sent a personal reply letter to Mr. Floras. In this letter, Mr. Montserrat stated that the Petitions Committee had considered the report and found it “admissible”. Furthermore, as noted in the reply letter, Mr. Montserrat requested that “the European Commission conduct a preliminary investigation into the matter”, while also forwarding it to “the Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament for information”. In addition, the Chairman of the Petitions Committee stressed that he would inform him of any further action in due course.
Read the detailed letter
A few months later, Mr. Floras was notified to travel to Brussels, as his report was to be discussed before the Petitions Committee of the European Parliament. Indeed, the entrepreneur traveled to Brussels at the beginning of October last year. During the hearing with the MEPs of the Committee, he reported that in Greece “the privacy of the communications of mobile phone users is systematically violated due to the responsibility of the large telecommunications companies”.
Specifically, Mr. Floras referred to Directive 2002/58/EC “on the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)”, commonly known as the “ePrivacy Directive”. This Directive was transposed into Greek law by Law 3471/2006.
However, as he noted, “the Directive has been incorporated into national law but is not enforced” because “in reality, there is a situation where the violation of communications privacy is the norm”.
“Slap-on-the-wrist fines from ADAE”
In support of his claims, Mr. Floras cited 96 decisions by the Hellenic Authority for Communication Security and Privacy (ADAE) regarding communications privacy violations issued over the past seven years. Of these, 52 concerned Cosmote and 20 concerned Vodafone. While the ADAE did impose fines on the companies, he argued that the amounts were the minimum allowed by law.
“If you look at the list of fines, you’ll see that the ADAE imposes the lowest possible fines, even though the companies systematically violate privacy,” he noted, adding that “the total fines imposed on mobile phone companies over the last seven years amount to 8 million euros, while their profits over the same period reach 11 billion euros.”
In simple terms, the total amount of fines imposed by the ADAE represents only 0.08% of their profits, resulting in continued violation of communications privacy instead of compliance through appropriate measures.
Furthermore, Mr. Floras stated that the ADAE has never taken additional measures against mobile phone companies, such as revoking their operating licenses – either temporarily or permanently – due to systematic privacy violations, nor has it referred its decisions to law enforcement authorities to seek possible criminal liability.
Hackers intercepted data of 12,013,928 users
To support his claims, Mr. Floras presented several decisions of the ADAE. One of them was Decision No. 225/2022, regarding the data compromise of 12,013,928 Cosmote users by hackers in September 2020. The ADAE’s investigation revealed that the hackers managed to breach the company’s data by “using the access data of an administrator whose password was listed among the leaked passwords of social media (LinkedIn, Facebook, etc.) and other services”.
In other words, as the ADAE auditors reported, “a database maintained by hackers contained identifying information about the company and the access account (username and password) of a COSMOTE employee who actually had administrative rights to the company’s Information and Communication Systems (ICS).”
In addition, as the auditors noted, “the critical access account details of the company employee, which were intended for use in the ICS, may have been used in personal, non-company applications/services, from which the data leaked. It is striking how the negligence of one employee in a private company can expose millions of users of a telecommunications giant.
In the end, the ADAE, in its decision no. 225/2022, found COSMOTE responsible for the “leak of identifying information about the company and the access account (username and password)” and imposed a fine of 200,000 euros. In addition, the Independent Authority for Public Revenue (IAPR) found “discrepancies at the time of the incident in the implementation of COSMOTE’s security policy to ensure the privacy of communications” and imposed a fine of €3 million.
Serious allegations require a thorough investigation
After Mr. Floras’ hearing, MEPs on the Petitions Committee commented on his allegations. With the exception of New Democracy MEP Freddy Beleris, all others from different political groups in the European Parliament described the allegations as “extremely serious” and called for a “thorough investigation”.
In particular, Nils Usakovs, a Latvian MEP representing the Socialists and Democrats, described the allegations as “very serious” and stressed that “the report should not be closed before a thorough investigation is carried out”.
The investigation should continue until we find that Greece complies,” he noted.
For her part, Spanish Green MEP Miranada Paz stressed that “Greek citizens are completely exposed and the report must remain open. This is a very broad case from a legal point of view.
SYRIZA MEP Nikos Pappas argued that “there is a violation of the privacy of communications in Greece, both by companies and by individuals,” and stated that “the report should remain open and we should request additional information from the IAPR.
Maria Zachari, an MEP from the Freedom Party, pointed out that “this report confirms the erosion of the rule of law in Greece”.
“ePrivacy has been disregarded. We demand that the report remains open and that the European authorities intervene”, she stressed.
Watch the video of the MEPs’ interventions
“Statements by the ADAE, the Ministry of Justice and the Ministry of the Interior”
A few days after the hearing, on October 18, Mr. Floras received a second letter from the Chair of the Petitions Committee, Dolors Montserrat. In this letter, she noted that “following the discussion, the Committee decided to forward your report to the relevant national authorities, namely the Ministry of Justice, the Ministry of the Interior and the Hellenic Authority for Communication Security and Privacy (ADAE), for their comments.” This means that the Committee considered Mr. Floras’ allegations to be serious and requested explanations from the Greek government.
Furthermore, as the letter points out, “once the Petitions Committee receives the necessary information, the examination of your report will continue.”
Read the full letter:
It is not known whether the two ministries and the ADAE have so far provided the European Parliament with the necessary information. What is certain is that Greece is once again under EU scrutiny on this issue.
Discussion about this post