Twitter has been fined €450,000 for breaching data breach notification and record keeping duties under the General Data Protection Regulation (GDPR).
The level of penalty was confirmed by the European Data Protection Board (EDPB) after a dispute arose between the Irish Data Protection Commission (DPC) and other data protection authorities across Europe over the Irish authority's approach to enforcement in the case.
It is the first time the EDPB has had to step in to resolve such a dispute between data protection authorities (DPAs).
The GDPR provides a so-called 'one stop shop' mechanism of regulation and enforcement, meaning businesses need only deal with one DPA instead of 27 different DPAs across all EU member states. However, the Regulation makes provision for the cooperation of DPAs in cases where alleged infringement occurs in more than one jurisdiction. In such cases, the lead supervisory authority – here, the DPC in Ireland where Twitter has its European headquarters – must enter into dialogue with the other DPAs in the countries where data subjects have been impacted. While the responsibility for investigation alleged infringement sits with the lead authority, the Regulation gives the other DPAs scope to input to the enquiries and to raise 'relevant and reasoned' objections against proposed decisions of the lead authority.
The powers of the EDPB to issue a binding decision in cross-border enforcement cases arise under Article 65(1)(a) of the GDPR and apply where the lead authority rejects the objections raised but another DPA continues to stand behind them.
In this case, the Irish DPC came to a draft decision earlier this year. It consulted on that decision with all other national DPAs, but DPAs in eight EU member states raised objections, including DPAs in France, Germany, the Netherlands and Spain. Although the DPC was able to resolve some of the objections in its response, including those raised by Denmark's DPA, there were remaining objections, requiring the DPC to refer the case to the EDPB to resolve.
In its decision, the EDPB confirmed the DPC's draft decision, ruling that the objections raised by the other DPAs did not meet the required standard of being "relevant and reasoned" – in essence determining that the objecting DPAs had failed to clearly demonstrate that there were significant risks posed by the DPC's draft decision as regards the fundamental rights and freedoms of data subjects, as required by the GDPR.
'One stop shop' regulation by one member state’s supervisory authority does not mean that the other supervisory authorities will not play an important role in both the scope of enquiries, findings and any resulting sanctions
"In its findings the EDPB stressed that the dispute resolution procedure is used as a method of ensuring consistency of approach across member states and it also specifically pointed to the lead supervisory authority’s obligation, under Article 60 of the GDPR, to cooperate with the other supervisory authorities in the context of setting the scope of enquires," said Dublin-based data protection law expert Dermot McGirr of Pinsent Masons, the law firm behind Out-Law. "These points highlight that 'one stop shop' regulation by one member state’s supervisory authority does not mean that the other supervisory authorities will not play an important role in both the scope of enquiries, findings and any resulting sanctions."
The fine imposed on Twitter in the case stemmed from breaches the DPC determined had occurred under Article 33 of the GDPR concerning the timeliness of reporting personal data breaches and the requirements to document such breaches. Twitter was not fined for the data breach itself.
McGirr said: "The fine demonstrates how these types of GDPR breaches will be strictly enforced and reminds controllers that their security breach incident management plan needs be GDPR compliant by design – i.e. facilitate quick action and detailed reporting. This is particularly an issue during holiday periods, as the data breach that arose in Twitter's case arose from a bug that was discovered on 26 December 2018."
Under the GDPR, organisations must notify local data protection authorities of personal data breaches they have experienced "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons". In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.