Authorities overseeing data protection in Europe are nearing a resolution regarding a security incident at Twitter that the company revealed in 2019, following agreement from a majority of EU data protection authorities to support a proposed agreement initially submitted by Ireland’s Data Protection Commission (DPC).

Twitter announced the vulnerability within its ‘Protect your tweets’ functionality at the beginning of the previous year, stating that certain Android users who had activated the setting to privatize their tweets potentially experienced data exposure to the public internet dating back to 2014.

A revised data protection framework became effective in the European Union in May 2018, meaning this breach occurring between 2014 and 2019 falls under the scope of the EU’s General Data Protection Regulation (GDPR).

Ireland’s DPC serves as the primary supervisory authority for the Twitter case; however, due to the international scope of the company’s operations, all EU data protection agencies possess both an interest and the capacity to submit “relevant and reasoned” objections to the proposed decision. Concerns regarding the DPC’s draft decision were formally expressed during the summer, initiating a dispute resolution procedure for cross-border cases as outlined in the GDPR.

The European Data Protection Board (EDPB), an organization dedicated to coordinating regulatory efforts across the EU, announced today that it has issued its first decision under Article 65 – the mechanism for resolving disagreements among the EU’s various data protection authorities. This indicates that at least a two-thirds majority of the EU DPAs have endorsed the agreement.

“On November 9, 2020, the EDPB adopted its binding decision and will formally notify the Irish SA shortly,” the organization stated.

Graham Doyle, Ireland’s deputy commissioner, verified that the EDPB has communicated its Article 65 decision but refrained from providing further commentary at this time.

Ireland’s DPC now has a period of up to one month to release a definitive ruling.

“The Irish SA [supervisory authority] will adopt its final decision based on the EDPB decision, addressed to the controller, without undue delay and no later than one month after the EDPB’s notification,” the EDPB statement clarified.

The specifics of any potential penalties Twitter might incur – such as a financial fine – have not yet been disclosed. However, the conclusion of this process is now approaching.

GDPR establishes a legal requirement for data controllers to ensure the adequate protection of personal data. Violations of this framework can result in financial penalties reaching up to 4% of a company’s total worldwide annual revenue. (To date, the largest GDPR fine levied against a major technology company remains a $57M penalty imposed on Google by France’s CNIL.)

In contrast to the Google case – which CNIL pursued prior to Google relocating its EU legal headquarters to Ireland – the Twitter case is a cross-border matter and will represent the first significant GDPR case involving a large technology company to reach a final conclusion.

The EU’s primary data protection regulation continues to attract criticism regarding the length of time required to investigate cases and issue decisions, particularly those concerning major technology companies.

Last year, the Irish regulator indicated that its initial cross-border GDPR decisions would be forthcoming “early” in 2020. While the first decision will arrive before the end of 2020, this timeline is unlikely to appease critics who contend that EU regulators lack the resources and expertise to effectively oversee how large technology companies manage personal data.

The Twitter breach case is also anticipated to be less intricate than some of the ongoing GDPR investigations based on complaints against major technology platforms, including inquiries into the legal justification for Facebook’s processing of user data and the data handling practices of Google’s advertising exchange. Nevertheless, the EDPB extended the Article 65 process by a full month (instead of the standard one month) due to the “complexity of the subject matter.” This does not suggest a swift resolution for more challenging cases.

However, utilizing dispute resolution for cross-border cases may foster greater consistency and potentially accelerate enforcement efforts over time.

The UK’s ICO provides a potential cautionary example, having recently reduced substantial preliminary fines announced in a couple of (non-big tech GDPR) data breach cases, resulting in enforcement that was both delayed and less severe than initially indicated.

Despite criticisms regarding perceived shortcomings in GDPR enforcement, EU lawmakers remain committed to effectively regulating large technology companies.

Indeed, the Commission is scheduled to present a legislative proposal next month to implement ex ante rules for dominant Internet platforms as part of the planned Digital Markets Act. These plans would subject so-called ‘gatekeepers’ to a set of ‘dos and don’ts,’ including restrictions on data sharing practices. The proposal may also include a move to establish a pan-EU regulator to oversee major platforms. 

Such an approach could alleviate the oversight burden on a limited number of EU DPAs responsible for a disproportionate number of large technology companies, such as the Irish DPC. However, it is likely to be a considerable period before any new EU platform rules are fully implemented and enforced.