One way or the other, Ireland's Data Protection Commission was going to set a precedent with its much-anticipated ruling on Twitter's EU General Data Protection Regulation violations related to a 2019 data breach. The decision was finalized Dec. 15, 2020, and amounted to a fine of just 450,000 euros against the social media company, marking the DPC's first GDPR enforcement against a multinational.
"This inquiry was opened following the receipt of a breach notification from Twitter in January 2019, and it was specifically focused on Twitter’s compliance with Articles 33(1) and 33(5) of the GDPR," Irish DPC Deputy Commissioner Graham Doyle said. "The DPC has today announced the imposition of an administrative fine of 450,000 euros on Twitter as an effective, proportionate and dissuasive measure."
Doyle's emphasis and the DPC's focus on the breach notification, which Twitter provided outside of the mandated 72-hour reporting window, was among the key objections brought forth by fellow EU data protection authorities when the draft decision was reviewed in August under the dispute-resolution mechanism in Article 65 of the GDPR. In its binding decision on the Article 65 procedure, the European Data Protection Board noted that concerned supervisory authorities wanted more consideration for Twitter's security measures than the late notification.
The EDPB implied the DPC could have made more of an effort to address objections and harmonize DPAs' positions, specifically calling attention to "the duty for the (lead supervisory authority) to 'endeavour to reach consensus'" in its binding decision. Doyle called the objections "relevant and reasoned" and maintained the DPC did what it could to work through the differences.
TrustArc Director of EU Operations and Strategy Paul Breitbarth sees the lack of results and general friction during the dispute-resolution process as something to watch with future cases.
"I had expected the board to have more discussions on the content of the investigation report and be in more agreement on that part. It now appears that they have defined their own guidelines so strict that only the objection against the amount of the fine could stand the test," Breitbarth said. "I believe there will be some further discussions on the concept of the ‘relevant and reasoned objection,’ since multiple supervisory authorities will likely not be satisfied that all their objections have been set aside as ‘out of scope’ by the EDPB."
The fine marks an early win for Big Tech companies as further enforcement actions loom. In a statement, Twitter Chief Privacy Officer and Global Data Protection Officer Damien Kieran said the company worked closely with the DPC on the matter and respects its decision, pointing to a "shared commitment" to privacy and online security.
"We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements," Kieran said. "Our approach to these incidents will remain one of transparency and openness."
With onlookers likely questioning the toughness of the DPC's action, Breitbarth said judgement should be reserved given the scope the DPC was working under.
"Had the DPC looked at the security policy of Twitter as part of this investigation, the outcome could have been quite different," Breitbarth said. "However, that investigation is allegedly still ongoing. When just looking at the delayed notification of a serious breach, I don’t believe a multimillion-euro fine would be proportionate, even though it would be much more dissuasive."
Photo by MORAN on Unsplash