The Irish Knowledge Safety Authority imposed a positive of € 450,000 on Twitter for information breach following the EDPB choice as a part of the GDPR consistency mechanism
On December 15, 2020, the Irish Data Protection Commission (“DPC”) announced its € 450,000 fine on Twitter International Company (“Twitter”) after investigating a breach resulting from a design flaw on Twitter. The fine is the largest imposed by the Irish Data Protection Authority under the EU General Data Protection Regulation (GDPR), and it is also the first against a US-based organization.
The flaw in question resulted in protected tweets being changed to unprotected tweets so that they were generally available to the public without the user’s knowledge. This bug affected Twitter users on Android devices who had changed the email address associated with their Twitter accounts. Twitter estimated that between September 5, 2017 and January 11, 2019, 88,726 Twitter users in Europe were affected. The bug was discovered on December 26, 2018.
Investigation and GDPR dispute resolution process
The DPC launched its investigation into the breach by Twitter under Section 110 of the Irish Data Protection Act 2018 in January 2019 and submitted its draft decision to the “regulators concerned” in May 2020 under Article 60 of the GDPR. Regulatory authorities in Austria, Italy and Germany objected to the size and “insufficiently deterrent nature” of the fine proposed by the DPC, which ranged from EUR 135,000 to EUR 275,000. This resulted in the DPC triggering the DSGVO dispute settlement procedure and referring the matter to the European Data Protection Board (“EDPB”) regarding the objections that it was unable or unwilling to resolve.
This is the first time that the dispute settlement procedure under Article 65 of the GDPR has been applied. The EDPB assessed the matter and issued its binding decision on November 9, 2020, according to which the DPC “will reassess the elements on which it relies to calculate the amount of the fine to be imposed [Twitter]and amend its draft decision by increasing the amount of the fine to ensure that it fulfills its corrective action purpose and meets the requirements of effectiveness, deterrence and proportionality. “
In assessing the DPC’s initial approach, the EDPB noted that the DPC should have had greater weight in calculating its fine while calculating the nature and extent of the processing related to the breach, and specifically noted that that Twitter users have relied on the ability to keep tweets private to share information or views that they would not normally share publicly. Accordingly, when adjusting the fine in its final decision, the DPC noted that it was particularly considering the conscious decision of Twitter users to limit the audience of their tweets.
Background of the investigation and results of the DPC
The alleged errors identified by the DPC were Twitter’s violations of Article 33 Paragraphs 1 and 5 of the GDPR, which relate to the reporting and documentation of data protection violations. The DPC found that Twitter did not report the violation to the DPC within the 72-hour period and did not adequately document the violation.
According to Twitter, the delay in notifying the DPC within the required timeframe was due to a failure by Twitter International Company’s processor, Twitter, Inc., to notify Twitter International Company’s data protection officer of the possible breach when it became aware of it attained. However, the DPC has essentially assumed the processor’s knowledge of the possible violation by the Twitter International Company and stated that it is the controller’s responsibility to ensure that there is an effective process in place that allows processors to tell the controller about a Personal data breach to inform and that where this does not occur and will result in a delay in notification. It is assumed that the controller has constructive knowledge of the violation through its processor. This finding underscores the importance of seamless collaboration between controllers and processors in relation to security events that lead to potential notification obligations.
Regarding Twitter’s alleged failure to document the violation under Article 33 (5) of the GDPR, the DPC stated that the company’s documentation of the violation did not contain enough information to enable the DPC to ensure Article compliance 33 of the GDPR through Twitter. Specifically, the DPC stated that the incident report provided by Twitter did not provide an adequate explanation of the issues that caused the delay in notifying the DPC, nor did it address how Twitter assessed the risks posed by the breach to affected users. This finding confirms the importance of taking stock of infringements under Article 33 (5), which should be carefully considered following this decision.
In calculating the fine, the DPC took into account the fact that the delay in reporting the breach was an isolated rather than a systemic problem, but noted that the breach of Article 33 (5) of the GDPR “continued” as Twitter claimed it was in his remarks that his documentation of the violation was not inadequate. However, the DPC considered the violations of Article 33 Paragraphs 1 and 5 of the GDPR to be negligent rather than deliberate.
In terms of mitigation, the DPC viewed the steps taken by Twitter, Inc. to fix the bug as the only mitigating factor, disregarding Twitter’s legal steps. The DPC stated: “A measure taken by a data controller when he is under a legal obligation to do so cannot be seen as a mitigating factor.” Twitter’s cooperation with the investigation was also made a legal requirement not considered a mitigating factor. The DPC also considered the “inaccuracy” of the information originally provided to the DPC in relation to the infringement as a relevant factor in determining the amount of the fine.
Twitter tweeted following the DPC’s announcement that it would take full responsibility for its mistake and continue to work to protect its customers’ privacy, adding, “We appreciate the clarity that this decision has for businesses and the public with regard to the company’s reporting requirements GDPR for violations. As always, our approach to these incidents will be one of committed transparency and openness. “
Download both the final decision of the DPC and the decision of the EDPB.
See also the EDPB register for decisions taken by regulators and courts on issues related to the coherence mechanism.