On 15th December 2020, the Irish Data Protection Commission (the “DPC”) announced its decision to impose an administrative fine of €450,000 on Twitter International Company (“Twitter”) following an investigation into a personal data breach reported by Twitter, under the self-reporting obligations of General Data Protection Regulation (EU) 2016/679 (“GDPR”). The breach arose as a result of a bug in Twitter’s android app which caused Twitter to unintentionally make some of its users’ private tweets public.
It transpired that at least 88,726 data subjects in the European Economic Area were affected by the breach. Due to retention limitations on its available logs, however, Twitter could not identify the total number of people affected. The 88,726 data subjects identified reflects only those affected people Twitter could identify for the period from 5th September 2017 to 11th January 2019. Notably, the bug that lead to the breach “was introduced on 4 November 2014” and “fully remediated by 14 January 2019.”
Under Article 33(1) of the GDPR a controller of personal data has an obligation to notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, not later than 72 hours after having becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Article 33(5) of the GDPR requires a controller to document the personal data breach, including the facts relating to the personal data breach, its effects and the steps taken to remediate them.
In this case:
• Twitter became aware of the bug on 26th December 2018 (arguing that actual “awareness” of the breach occurred later).
• Twitter notified the breach to the DPC on 8th January 2019.
• The DPC commenced its investigation on 22nd January 2019.
The DPC concluded that Twitter infringed both Article 33(1) and Article 33(5) of the GDPR due to its failure (i) to notify the breach to the DPC within the prescribed timeframe and (ii) to adequately document the breach.
The DPC’s draft decision in the matter was submitted to the other European data regulators for review in May 2020, as required under Article 60 of the GDPR, and it was subject to their scrutiny. Some regulators were unhappy with the fine originally proposed by the DPC ($150,000 - $300,000) given that Twitter reported revenue of €2.8 billion last year in circumstances where the GDPR empowers regulators to fine organisations up to 4% of their global turnover for the previous year, or €20 million (whichever is greater).
As a consequence, the draft decision was referred to a dispute resolution mechanism under the European Data Protection Board (the “EDPB”) and was the first to go through this process since the introduction of the GDPR in May 2018. The EDPB’s decision was finalised in November and published this week.
Twitter released a statement on the decision and stated that:
“An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the DPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion. We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur”.
As the DPC is the lead supervisory authority for a number of multinational technology companies who have their headquarters here in Ireland, it faced pressure in recent years to clamp down in their processing activities and this decision is notably the DPC’s first GDPR enforcement against such a multinational. The DPC described the penalty as “an effective, proportionate and dissuasive measure”.
The Irish Council for Civil Liberties was disappointed at the level of the fine imposed describing it as “meagre”.
The EDPB has published its decision and the DPC’s final decision on its website, both of which can be viewed here.
This note is for general information purposes and does not constitute legal advice. Legal advice must be obtained for all individual circumstances. Each case must be assessed on its own merits