Twitter is likely to suffer significant fines in the EU for its handling of a data incident, but regulators are conflicted about their response.
In late 2018, Twitter experienced a data breach involving an exploitation of a system vulnerability, and a separate breach in early 2019 in which protected tweets were made public. Ireland’s Data Protection Commission (“DPC”) took issue with Twitter’s notification of the data breaches as required by Articles 33(1) and 33(5) the EU’s General Data Protection Regulation (“GDPR”). In particular, the DPC has been focusing on Twitter’s timely reporting of the breaches to authorities and platform users.
One of the Twitter breaches related to a bug deployed by Android based mobile applications that created unauthorized exposure of private Twitter accounts. The DPC was also probing almost two dozen other large technology companies at the end of last year. Due to many large technology companies operating in Ireland, the DPC has significant agency. For example, the DPC after receiving a number of complaints from consumer organizations, probed Google’s processing of location data.
DPC’s investigation into Twitter concluded in October, and the DPC had been deliberating Twitter’s level of punishment. The maximum fine that any company could face from a GDPR decision is 4% of its global revenue or €20 million, whichever amount is higher. On May 22, 2020 the DPC submitted a draft decision to other concerned Supervisory Authorities, in accordance with Article 60 of the GDPR to consider their views before making a final verdict. Article 60 of the GDPR requires the lead supervisory authority to communicate the relevant information on the matter to the other supervisory authorities concerned. The lead supervisory authority is also required to submit a draft decision to the other supervisory authorities “concerned for their opinion and take due account of their views”.
Other EU regulators took issue with the DPC’s preliminary ruling on Twitter. Though a significant fine seemed inevitable for Twitter, it appears that the DPC’s consultation of all concerned EU supervisory authorities (“CSA”) has led to a possible change. Graham Doyle, Deputy Commissioner of the DPC, provided that the DPC has referred the matter to the European Data Protection Board (“EDPB”). The next steps in the process are prescribed by Article 65 of the GDPR which was meant to “ensure the correct and consistent application of this Regulation in individual cases.”
When a CSA raises a “relevant and reasoned objection” to a draft decision of the lead authority or the lead authority has rejected such an objection as being not relevant or reasoned, the binding decision should be adopted by the EDPB. The binding decision should be adopted within one month from the referral of the subject-matter by a two-thirds majority of the members of the Board. However, that period may be extended by another month on account of the complexity of the subject-matter. When the EDPB is unable to adopt a decision within that month (or additional month when applicable) the EDPB can make a decision by simple majority of the members. Where the members of the Board are split, the decision shall by adopted by the vote of its Chair.
Considering Twitter’s size, and the consequences of large enforcement actions it is not surprising that there are differences of opinions among the CSAs. Whatever decision the EDPB comes to, must be adopted by the DPC, the lead authority, within one month of the decision.