On 10 November 2020, the European Data Protection Board (EDPB), issued a press release noting that it had issued its first Article 65 decision under the General Data Protection Regulation (GDPR), against Twitter. At the time of writing, this is all we know. It is for Ireland’s Data Protection Commission (DPC), to issue to final decision, with reasons, which they are required to do by 9 December 2020.
What did Twitter do?
On 17 January 2019, Twitter announced a data breach relating to the “Protect Your Tweets” feature, disclosing a bug which meant that the tweets of Android users, who had set their tweets to private, using the feature, could be accessed publicly whenever certain settings were changed by the user. Twitter noted that the bug had existed from 3 November 2014 (!), until 14 January 2019 when the bug was fixed.
Twitter’s European HQ is in Dublin, so they fall under the jurisdiction of the DPC for data protection purposes. As the breach was notified after the advent of the GDPR in 2018, the DPC investigated under that framework, although the DPC had been investigating Twitter already since November 2018.
As Twitter has data subjects in all EU jurisdictions, several other national Data Protection Authorities (National DPAs) were interested in the result and had a right under GDPR to object. When the DPC submitted its draft decision for review on 22 May 2020, several of the National DPAs duly objected.
After consultation, pursuant to Article 65, the DPC referred the matter to the EDPB to resolve under its dispute resolution mechanism. EDPB members are given one month to come to decision by two-thirds majority, which can be extended by a further month on grounds of complexity. If there is still no agreement, a further two weeks are given to come to a decision under a simple majority. The EDPB then notifies the relevant National DPA of the decision, which it then has a month to issue.
How big might the fine be?
While there is little doubt that there will be a fine, given there has been a breach, and this is not a more complex challenge to a data collection practice, the level is very much uncertain.
Given this is the first GDPR decision against one of the global tech giants, eyes are very much fixed on the size of the fine against Twitter which, famously, can be the higher of €20 million or 4% of worldwide global turnover.
The United Kingdom’s Information Commissioner (ICO), had come out of the blocks fast, proposing fines of £99.2 million against Marriott Hotels (3.5% of global turnover), and £189.39 million against British Airways (1.5%), only to later agree to much smaller fines of £18.4 million (0.6%) and £20 million (0.2%) respectively. There is speculation that some of this reduction recognises that both businesses will have been significantly affected by the COVID-19 pandemic, but it may also reflect that National DPAs simply will not be able to levy fines at such eye watering levels after the inevitable appeals and discussions which will follow the initially proposed fine. Even once the Irish DPA decision is issued, it will certainly be some time before any money is shaken out of Twitter’s coffers.
GDPR has undoubtedly improved the speed at which the public find out about data breaches, in contrast with the previous system, in which a press release would creep out notifying customers of a password breach several years after it actually occurred. What it clearly has not done is reduced the wrangling over fine levels and fault that often plague regulators interactions with their industry.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.