After EDPB decision under GDPR mechanism, Twitter fined €450,000 by Irish DPA

After EDPB decision under GDPR mechanism, Twitter fined €450,000 by Irish DPA

The Irish Data Protection Commission (DPC) on December 15 slapped a fine of €450,000 on Twitter International Company (Twitter) following its probe into a breach arising from a bug in Twitter's design. The bug was uncovered on December 26, 2018.

Till date, this is the biggest fine imposed under the European Union (EU) General Data Protection Regulation (GDPR) by the Irish DPC. It also qualifies as the first fine on a US-based organization. The said bug rendered protected tweets as unprotected, making them available to the public without the knowledge of the user. Twitter users on Android devices who changed the email address connected to their Twitter accounts were impacted by this bug. 88,726 Twitter users in Europe were affected between September 5, 2017 and January 11, 2019 according to Twitter.

In January 2019 the DPC began probing the breach by Twitter under the Irish Data Protection Act 2018, Section 110. In May 2020, it submitted to "Concerned Supervisory Authorities" its draft decision as necessitated by GDPR Article 60. Objections to the size and "insufficiently dissuasive nature" of the DPC's proposed fine of €135,000 to €275,000 were raised by supervisory authorities in Austria, Italy and Germany. As a result, the dispute resolution procedure of the GDPR was triggered and the matter was referred to the European Data Protection Board ("EDPB") with reference to objections that could not be resolved.

The dispute resolution procedure under GDPR Article 65 was used for the first time. After weighing the matter, the EDPB on November 9, 2020 issued its binding decision that the DPC "re-assess the elements it relies upon to calculate the amount of the fixed fine to be imposed on [Twitter], and to amend its Draft Decision by increasing the level of the fine in order to ensure it fulfills its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality." The DPC should have stressed more on the nature of and processing involved in the breach while calculating its fine, the EDPB felt. The DPC in its final decision adjusted the fine, noting that it particularly considered Twitter users' choice to limit their tweets' audience.

The DPC found that Twitter had infringed Articles 33(1) and (5) of the GDPR that pertain to data breach notification and documentation, respectively. Twitter did not inform the DPC about the breach within 72 hours and failed to detail the breach sufficiently. Twitter claimed that because Twitter International Company's processor, Twitter Inc., failed to inform Twitter International Company's DPO of the potential breach when it came to know about it, there was delay in informing the DPC about the breach within the stipulated timeframe. However, the controller is expected to have constructive knowledge of a breach through its processor, the DPC said. The DPC also said that Twitter's record of the breach was insufficient to allow it to prove whether or not it fulfilled GDPR Article 33. The DPC said that while the delay in informing about the breach was a one-off rather than universal issue, the infringement of GDPR Article 33(5) was ongoing.

Still, the DPC considered Twitter's infringement of Articles 33(1) and 33(5) neglectful rather than purposeful. "An action, taken by a controller where it is mandated to do so on foot of a statutory obligation cannot be viewed as a mitigating factor," the DPC said. In deciding the fine amount, the DPC also considered the inexact nature of information originally provided to it regarding the breach.

Following the DPC's announcement, Twitter tweeted, "We appreciate the clarity this decision brings for companies and the public around the GDPR's breach notification requirements. As always, our approach to these incidents will remain one of committed transparency and openness."