Tweeting Tardy: Twitter fined $500,000 for GDPR breach

On 3 December, we wrote about the European Data Protection Board (EDPB)’s press release, noting that it had issued a decision against Twitter under Article 65 of the General Data Protection Regulation (GDPR). This was the first such decision since the GDPR come into force in 2018. However, we could not see the reasoning until the Irish Data Protection Commission (DPC), as the lead national data protection authority (National DPA), released its decision, which it was required to do on or before 9 December 2020.

The DPC duly adopted a decision on 9 December, weighing in at a hefty 188 pages, from which we now know what breaches Twitter was being investigated for, and what changes the DPC had to make to its proposed decision following the EDPB process.

The Breach

Previously, we had noted that the investigation related to a data breach relating to the “Protect Your Tweets”  feature, which had a bug meaning that the tweets of Android users, who had set their tweets to private, using the feature, could be accessed publicly whenever certain settings (in particular, email addresses tied to the account) were changed by the user.

Under Article 33 GDPR, on becoming aware of a breach, a data controller must notify its National DPA of the breach within 72 hours, unless it is clear that the breach “…is unlikely to result in a risk to the rights and freedoms of natural persons.”

The data controller in this instance was Twitter International Company (TIC), based in Dublin, therefore under the jurisdiction of the DPC. It was accepted that Twitter Inc. (“TUS”), in the US, was the data processor.

TUS received a bug report, via a bug bounty program on 26 December 2018. A contractor of TUS assessed the bug on 29 December, referring it to TUS on the same day. TUS did not review the bug until 2 January 2019, and sought guidance from their legal team the next day (3 January). The legal team advised that there was likely to be a personal data breach, triggering TUS’ internal process on 4 January.

This would normally result in TIC’s Data Protection Officer (DPO) being informed of the incident. However, there was a failure to add the DPO to the circulation list as required by the internal procedure. The DPO (and therefore TIC) was not informed until 10:00 PST (18:00 GMT) on 7 January, when they were notified orally of the breach during a meeting.

Finally, TIC notified the DPC of the breach at 18:08 GMT on 8 January 2019.

The DPC began an investigation as to whether:

1. TIC had breached the 72 hour requirement under Article 33(1) GDPR;
2. TIC had breached the requirement under Article 33(5), to document any personal data breaches in sufficient detail to allow the relevant National DPA to verify compliance with Art 33(1)

Twitter’s Arguments

As one might gather from the above, the key issue was when TIC would be deemed to be aware of the personal data breach, thereby starting the 72 hour clock. The DPC had provisionally considered that TIC could be deemed aware either on 26 December 2018, when TUS was notified of the bug, or on 3 January, when TUS appreciated that there was likely a breach of personal data.

TIC argued that as Article 33 related to obligations of the data controller, it could not be held responsible for the delays by the processor (TUS), and so the 72 hour ‘awareness clock’ could only run from the point TIC was actually made aware, via its DPO, on 7 January 2019.

TIC stressed that the delays at TUS arose not from systemic issues in the internal processes, but because in this instance, the process was followed incorrectly via the failure to add the DPO to the circulation list. Going further back, the delay between TUS’ contractor forwarding its assessment of the bug (29 December 2018), and TUS assessing there to be a personal data risk (3 January 2019) arose due to the intervening period consisting of mostly of the weekend and a bank holiday, such that the delay could be considered reasonable.

As for Article 33(5), the DPC questioned the recording of the breach by TIC, suggesting that it was not sufficient to allow the DPC to verify compliance with Art 33. In particular, it took issue with TIC’s failure to carry out any form of risk assessment once aware of the breach, to assess the level of potential harm to affected users. TIC’s approach had been instead to assume, given the volume of affected users (about 89,000 in the EU from 2017-2019, with additional users likely affected back to 2014), that there was probably sensitive data breached.

TIC argued that the totality of the documents provided to the DPC was sufficient, and that the process it developed was on the basis of Breach Notification Guidelines provided by the EU. It cited incident reports, the experience of incident management officers at Twitter, and its offer to the DPC to provide sworn affidavits as evidence of sufficient records being taken.

The Commissioner

While the DPC, in the form of the Commissioner, Helen Dixon, reviewed TIC’s arguments carefully, she was not prepared to accept many of the submissions.

Ms Dixon noted that the purpose of Art 33(1) was to ensure that National DPAs were told of breaches in enough time to assess potential harm to data subjects, and if necessary, direct data controllers to take necessary protective and remedial actions. She added:

As I have outlined above, I consider that, having regard to the controller’s overall responsibility and accountability under the GDPR, the controller must ensure that, by means of an effective process agreed with its processor, it is made aware of personal data breaches in such a manner as to enable compliance with its own obligation under Article 33(1).

In such circumstances, where the process – as agreed with the processor – even in a once off or isolated situation, is not effective in some respect, fails, or is not followed by the processor (as it ought to have been), and this results in a delay or failure in the processor making the controller aware of the breach, I consider that the controller must, in these circumstances, be considered as having constructive awareness of the personal data breach through its processor, such that its obligation to notify under Article 33(1) continues to apply.

She later added: 

The alternative application of Article 33(1), and that being suggested by TIC, whereby the performance by a controller of its obligation to notify is, essentially, contingent upon the compliance by its processor with its obligations under Article 33(2), would undermine the effectiveness of the Article 33 obligations on a controller.

By way of this concept of constructive awareness, Ms Dixon ruled that TIC could be deemed to have been aware of the breach at the latest on 3 January 2019 (the point where it ought to have been aware), meaning the 72 hour awareness clock expired on 6 January.

For 33(5), Ms Dixon noted that her investigator had initially concluded that there was not enough information to decide whether or not TIC had complied with Art 33(1), and that several rounds of questions were required before the facts were made clear, in particular, the clarification that the delay on notification to TIC was due to failure by TUS to correctly follow the internal procedure.

She noted that a controller should record the following in their notification to a National DPA:

1. Information relating to the controller’s assessment of whether the incident / event comprised a personal data breach…;
2. Information relating to or outlining the controller’s assessment of risk posed by the personal data breach…;
3. In the case of a delayed notification, information in relation to the reasons for the delay, including details of the factors that caused the delay...;

TIC were deemed to fall short of this standard, with Ms Dixon commenting that much of the documentation she was eventually provided with were disparate, generalised documents generated in the context of TIC incident management process.

Additionally, it was not sufficient, neither to simply presume without assessment that some sensitive data must have been included in the breach, nor to rely on incident management teams experience, to omit key parts of your internal investigation. Detailed internal records of all breaches need to be kept in order to comply with Article 33(5).

Therefore, TIC was deemed to be in breach of Articles 33(1) and 33(5).

The cap for breaches of Article 33 is a maximum of 2% of global turnover. Ms Dixon concluded by assessing gravity, before levying an administrative fine of $500,000, (or around 0.14% of TUS’ global turnover). Arguments by TIC that it should be the relevant unit from which to assess turnover was rejected as clearly, TUS as parent exerted decisive influence over TIC’s operations, notwithstanding that for the purposes of data processing, TIC controlled the data processed by TUS.

Why the EDPB took so long

Reviewing the DPC’s decision, we also get an insight into how the process of consulting with the EDPB worked. This can also be gleaned from the EDPB’s Article 65 decision, released to the public at the same time as the DPC decision, which can be read here.

The DPC submitted its draft decision, after taking submissions from TIC, on 22 May 2020, eventually resulting in referral to the EDPB under the Article 65 dispute resolution procedure. The EDPB did not adopt its decision until 9 November 2020.

This delay of almost four months is probably understandable when we consider that the DPC’s draft decision was initially objected to by eight National DPAs (Austria, Germany (represented by Hamburg), Denmark, Spain, France, Hungary, Italy and the Netherlands). Each objection from each National DPA needed to be resolved before the EDPB could issue its decision.

Ms Dixon herself has commented publically that this reconciliation process was less than ideal, and took too long for her liking.

The objections raised by the eight national DPAs universally argue in various ways that the DPC’s draft decision was not sufficiently harsh, objecting to weighting of factors, the fine level, and to give one example, the reasoning offered for not issuing a reprimand along with an administrative fine. Particularly eye catching was the German National DPAs suggestion that under its fining guidelines, it would have suggested a fine potentially as high as $26.92 million (about 0.75% of global turnover) for the Article 33 infringements. The EDPB required the DPC to reassess its proposed fine level, which was then set as a range between $150,000-300,000, though it did not really comment on the suggested sanction from the German National DPA.

In some ways, this shows very clearly the need for the Article 65 procedure. It would likely undermine the operation of GDPR if establishments were subject to wildly differing fines depending on where they happened to be established. Indeed, it is easy to see how a race to the bottom might start, with softer National DPAs been touted as a reason for establishing in one jurisdiction rather than another.

Takeaways

While Twitter, as one of the biggest tech companies on the planet, handling the data of millions of people, will clearly be held to the very highest standards by National DPAs in terms of its GDPR compliance, there are lessons to be drawn whatever the size of your business as follows:

1. Engaging a data processor cannot be a “set and forget” task, as controllers will likely be held liable for any lethargy on the part of the processor. Contracts will have to enshrine and stress the need for processors to notify of breaches pretty much as soon as they discover them. Controllers with the resources to do so will need to periodically audit their processor’s practices.
2. Data controllers must have (and agree with processors where relevant), clear reporting and recording procedures and have these ready to provide to regulators where requested. Each and every breach should be recorded and assessed.
3. The EU is still working out its fining scale, and, where there is not a need to refer to the EDPB, much is going to depend on the view of individual National DPAs and their view of a “dissuasive” fine level. Based on their arguments regarding the Twitter decision, companies in Germany and Austria need to tread carefully.

Brexit

The United Kingdom will shortly exit its Transition Period with the EU on 31 December 2020. Deal or no deal, the UK will adopt an adapted version of the GDPR, with the same standards, principles and maximum fines, applying to the UK only. This means that if the ICO turns out to be a more aggressive (or more lenient) regulator in respect of fine levels, it will not be involved in any EDPB mechanisms aimed at equalising fining scales. UK firms may find themselves subject to differential fine levels as opposed to EU counterparts.