The Data Protection Commission (the "DPC") announced on 15 December 2020 that it has imposed an administrative fine of €450,000 on Twitter International Company ("Twitter") as a result of that company's handling of, and response to, a data breach. The data breach in question, which occurred in December 2018, involved a technical issue which resulted in some Twitter users' protected tweets becoming publicly available to other viewers. The DPC found that Twitter infringed Articles 33(1) and 33(5) of the General Data Protection Regulation (the "GDPR") as a result of its failure to notify the DPC of the breach within the statutory 72-hour notification period and its failure to adequately document the breach.
In this briefing, we examine the significance of this decision in the wider context of the application and enforcement of the GDPR in Ireland and across the EU.
The Decision-making Process
The DPC launched an inquiry into Twitter on 22 January 2019 following receipt of a data breach notification from Twitter. The programming error that was responsible for the breach in question may have existed since 2014 and affected at least 88,726 users in the EU and EEA between 5 September 2017 and 11 January 2019. However, while the data breach in question was recognised by Twitter internally on 26 December 2018, there was an internal delay during the Christmas holiday period which resulted in Twitter ultimately notifying the DPC of the breach on 8 January 2019.
In light of the cross-border nature of the processing of personal data that was the subject of the breach, the DPC, as the lead supervisory authority for Twitter, cooperated with other supervisory authorities concerned with the intention of reaching a consensus on this matter pursuant to Article 60 GDPR. Accordingly, the DPC submitted its draft decision to the other supervisory authorities concerned in May 2020 in relation to the inquiry it had completed into Twitter and its compliance with Articles 33(1) and 33(5) of the GDPR. However, the DPC and the other supervisory authorities concerned were ultimately unable to a reach a consensus.
As a result, in accordance with the consistency mechanism provided for under Chapter VII of the GDPR, which aims to achieve the consistent application of the GDPR throughout the EU, the matter was referred to the European Data Protection Board (the "EDPB") under Article 65 of the GDPR. Pursuant to this provision, the EDPB may adopt a binding decision in accordance with the dispute resolution mechanism provided thereunder. The EDPB adopted its binding decision on 9 November 2020 and, in accordance with its obligations under Article 65(6) of the GDPR, the DPC announced on 15 December 2020 that it had delivered its final decision on the basis of the EDPB's binding decision.
What are the Key Implications of this Decision?
The Twitter case marks the first time the EDPB has issued a binding decision as a result of the use of the dispute resolution mechanism under the GDPR since its introduction in May 2018. Notably, the DPC, Helen Dixon, has stated her dissatisfaction with the process for reaching a consensus with the other supervisory authorities due to its length and complexity. However, the Commissioner recognised that this case marked the first time the process was used and, as such, there is the possibility of improvements in the process in future investigations.
A Closer Look at the Fine Imposed
It is particularly significant that the Twitter case marks the first time the DPC has imposed a fine on a 'big tech' company under the GDPR. The DPC in its draft decision had initially proposed to impose a fine within the range of US$150,000 – US$300,000 (approximately €135,000 to €275,000). However, the EDPB, in its binding decision, required the DPC to re-assess and increase the level of the fine to be imposed on Twitter "in order to ensure it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality". In the statement announcing its final decision, the DPC described the increased administrative fine of €450,000 as "an effective, proportionate and dissuasive measure".
This is unlikely to have appeased some of the other EU Supervisory Authorities who were seeking much higher fines. For example, the German Supervisory Authorities advocated for a fine of between €7,348,035.00 and €22,044,105.00. The German rationale was based on the fact that "As Twitter's business model is based on processing data, and as Twitter generates turnover mainly through data processing, the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that it would render the illegal data processing unprofitable."
The DPC took a more measured view and determined that the €450,000 fine was in keeping with the nature of the infringement that occurred and the time period. In a statement responding to the DPC's decision, Twitter pointed out that the delay in reporting the relevant breach occurred as "an unanticipated consequence of staffing between Christmas Day 2018 and New Years' Day" so it seems fair to assume that the DPC took account of the fact that a delay over the Christmas holiday period did not necessarily point to a wider recurrent or systemic fault in Twitter's reporting procedures. It is also notable that while Twitter took steps to remedy the initial source of fault and cooperated with the DPC throughout its inquiry, the degree of cooperation by Twitter was found to not amount to a mitigating factor in the final decision reached. The DPC noted that this was a statutory obligation and Twitter did not go beyond such duty.
Ramifications for the Future
The Twitter case has shone a light on the tortuous nature of the consistency and cooperation mechanism under GDPR and on the lack of a consistent regulatory policy among Supervisory Authorities as to how to apply corrective measures, especially fines, in a manner that meets the Article 83 threshold of being "effective, proportionate and dissuasive". The case illustrates that the DPC followed the letter of the law in terms of the process, the decision is well reasoned and, at 188 pages, very detailed. While the decision was revised on foot of the dispute resolution mechanism, the DPC preserved its policy position that this was a matter which warranted a relatively modest fine when assessed on its merits.
However, it would be unwise to read too much into the case as it will be some time before we have a sufficient body of other DPC decisions to discern predictable outcomes to future investigations. Arguably many of the other live investigations that await a final decision of the DPC will address more obvious harms to data subjects, and in turn may produce starker outcomes.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.