On December 15, 2020, the Irish Data Protection Commission (“DPC”) announced its fine of €450,000 against Twitter International Company (“Twitter”), following its investigation into a breach resulting from a bug in Twitter’s design. The fine is the largest issued by the Irish DPC under the EU General Data Protection Regulation (“GDPR”) to date and is also its first against a U.S.-based organization.
The bug in question resulted in protected tweets being changed to unprotected tweets, making them widely available to the public without the user’s knowledge. This bug impacted Twitter users on Android devices who had changed the email address associated with their Twitter accounts. Twitter estimated that 88,726 Twitter users in Europe were affected between September 5, 2017 and January 11, 2019. The bug was discovered on December 26, 2018.
Investigation and GDPR Dispute Resolution Procedure
The DPC commenced its investigation into Twitter’s breach under Section 110 of the Irish Data Protection Act 2018 in January 2019, and provided its draft decision to “Concerned Supervisory Authorities” in May 2020, as required by Article 60 of the GDPR. Supervisory authorities in Austria, Italy and Germany raised objections to the size and “insufficiently dissuasive nature” of the DPC’s proposed penalty, which was within the range of €135,000-€275,000. This resulted in the DPC triggering the GDPR’s dispute resolution procedure and referring the matter to the European Data Protection Board (“EDPB”) with regard to those objections it was unable or unwilling to resolve.
This represents the first time that the dispute resolution procedure, set out under Article 65 of the GDPR, has been used. The EDPB evaluated the matter and issued its binding decision on November 9, 2020, which required that the DPC “re-assess the elements it relies upon to calculate the amount of the fixed fine to be imposed on [Twitter], and to amend its Draft Decision by increasing the level of the fine in order to ensure it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality.”
In evaluating the DPC’s initial approach, the EDPB stated that the DPC should have given greater weight while calculating its fine to the nature and scope of the processing involved in the breach, pointing in particular to the fact that Twitter users would have relied on the function of keeping tweets private to share information or views that they would not ordinarily share publicly. In adjusting the fine in its final decision, the DPC accordingly noted that it considered in particular the deliberate choice of Twitter users to restrict the audience of their tweets.
Background of the Investigation and Findings of the DPC
The alleged failures identified by the DPC were Twitter’s infringement of Articles 33(1) and (5) of the GDPR, which pertain to data breach notification and documentation. The DPC determined that Twitter had failed to notify the breach to the DPC within the 72-hour deadline and failed to adequately document the breach.
According to Twitter, the delay in notifying the breach to the DPC within the required timeframe resulted from a failure by Twitter International Company’s processor, Twitter, Inc., to notify Twitter International Company’s DPO of the potential breach when it became aware of it. However, the DPC essentially imputed the processor’s knowledge of the potential breach to Twitter International Company, stating that it is the controller’s responsibility to ensure that it has an effective process in place allowing processors to inform the controller of a personal data breach, and that where this does not occur and results in a delay in notification, the controller is considered to have constructive knowledge of the breach through its processor. This finding reiterates the importance of controllers and processors cooperating seamlessly in the context of security events giving rise to potential notification obligations.
As regards Twitter’s alleged failure to document the breach in accordance with Article 33(5) of the GDPR, the DPC stated that the company’s documentation of the breach did not contain sufficient information to allow the DPC to verify Twitter’s compliance with Article 33 of the GDPR. In particular, the DPC stated that the incident report provided by Twitter did not contain an adequate explanation of the issues that caused the delay in notification to the DPC, nor did it address how Twitter assessed the risks to affected users raised by the breach. This finding reiterates the importance of breach inventories under Article 33(5), which should be carefully considered in the wake of this decision.
In calculating the fine, the DPC considered the fact that the delay in notification of the breach was an isolated, rather than systemic, issue, but determined that the infringement of Article 33(5) of the GDPR was “ongoing,” since Twitter maintained in its submissions that its documentation of the breach was not deficient. Nonetheless, the DPC considered the infringements of both Articles 33(1) and (5) of the GDPR to be negligent rather than intentional.
With regard to mitigation, the DPC considered the steps taken by Twitter, Inc., to rectify the bug to be the sole mitigating factor, disregarding steps taken by Twitter that were required by law. The DPC stated: “An action, taken by a controller where it is mandated to do so on foot of a statutory obligation cannot be viewed as a mitigating factor.” As a statutory requirement, Twitter’s cooperation with the investigation also was not considered to be a mitigating factor. The DPC further considered the “imprecise nature” of the information originally provided to the DPC regarding the breach as a relevant factor when setting the amount of the fine.
Twitter tweeted following the DPC’s announcement that it took full responsibility for its mistake and remains committed to protecting the data of its customers, adding: “We appreciate the clarity this decision brings for companies and the public around the GDPR’s breach notification requirements. As always, our approach to these incidents will remain one of committed transparency and openness.”
Download both the DPC’s final decision and the EDPB’s decision.
See also the EDPB’s Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code