Ireland’s Data Protection Commission (DPC) has levied a fine of €450,000 (approximately $547,000) against Twitter for a delay in reporting and insufficient documentation of a data security incident, as required by Europe’s General Data Protection Regulation (GDPR).

This ruling is significant as it represents the first instance of a cross-border GDPR decision made by the Irish regulatory body, which serves as the primary EU privacy supervisor for numerous major technology companies. The DPC currently manages a substantial caseload, with over 20 ongoing investigations involving companies such as Facebook, WhatsApp, Google, Apple, and LinkedIn.

According to a press release issued by the regulator, “The DPC’s investigation began in January 2019 after receiving a breach notification from Twitter. The DPC determined that Twitter violated Article 33(1) and 33(5) of the GDPR by failing to notify the DPC of the breach within the stipulated timeframe and by not adequately documenting the incident. As an effective, proportionate, and deterrent measure, the DPC has imposed an administrative fine of €450,000 on Twitter.”

The GDPR mandates that most breaches involving personal data be reported to the relevant supervisory authority within 72 hours of the controller becoming aware of the breach.

The regulation also stipulates that a detailed record of the data affected and the response to the security incident must be maintained, allowing the supervisory authority to verify compliance.

In this particular instance, Twitter was found to be non-compliant with both of these requirements.

We have contacted the social media company for a statement, inquiring whether they intend to accept the decision and remit payment, or if they are considering available legal avenues.

Update: Twitter has provided the following statement, attributed to Damien Kieran, its chief privacy officer and global data protection officer:

The company also informed us that, following this specific incident – which was attributed to inadequate staffing during the 2018 holiday season causing a reporting delay – all subsequent incident reports have been submitted to the DPC within the required 72-hour period.

The DPC’s decision concerns a breach that Twitter publicly disclosed in January 2019, stemming from a flaw in its ‘Protect your tweets’ feature. This bug potentially exposed the non-public tweets of some Android users to the public internet dating back to 2014. (However, GDPR would only apply to data exposed after May 2018.)

Since acknowledging the ‘Protect your tweets’ bug, Twitter has faced further security challenges, including a prominent account hijacking incident earlier this year, resulting from hackers gaining network access credentials through a social engineering tactic.

Ireland’s DPC continues to receive criticism regarding the time it takes to reach decisions in significant cross-border GDPR cases, which can impact the rights of hundreds of millions of European internet users.

Last year, commissioner Helen Dixon indicated that the DPC’s initial major GDPR decisions would be released “early” in 2020.

Ultimately, the first cross-border decision has been issued shortly before the year’s end, highlighting the difficulties the EU faces in effectively enforcing its digital regulations against large technology companies. (GDPR technically came into effect in May 2018, though substantial enforcement against major platforms has been limited.)

In this case, an additional six months were added to the decision timeline after a draft outcome submitted to other EU DPAs in May was not universally accepted, triggering a majority vote mechanism within the GDPR to resolve disagreements among the bloc’s data supervisors.

The European Data Protection Board (EDPB) has published the Article 65 decision and the complete final decision on its website here.

This final outcome in the Twitter case arrives at a crucial moment, as EU lawmakers are scheduled to unveil their next set of major digital policies later today, as part of a broader initiative to accelerate regional digitization while ensuring robust European safeguards for technology.

However, with GDPR enforcement proving to be a slow and complex process, potentially diminishing the impact of the forthcoming Digital Services Act and Digital Markets Act before they even become EU law, questions arise regarding the viability of this strategy without effective (i.e., fair and swift) enforcement.

A broader concern is that European citizens may lose confidence in the rights-based framework they are told they possess under EU law and the bloc’s regulatory structures if obtaining redress proves to be a protracted and cumbersome process.

Consequently, the Commission’s claim that expanded digital rules will enhance public trust risks being undermined by disillusionment even at the legislative proposal stage.

In essence: Regulators cannot operate at such a slow pace and expect their rulebook to be respected by technology companies that prioritize rapid disruption of the existing legal framework.

The DPC’s decision in the Twitter case therefore illustrates the considerable gap between the rhetoric of EU policymakers regarding the ‘powerful’ digital rules and the more challenging and uncertain reality: nearly two years after Twitter disclosed the breach, a decision has been reached in what should have been a relatively straightforward case.

A data breach differs from an investigation into the legality of Facebook’s business model under GDPR, or an examination of the complexities of Google’s adtech – both of which remain open cases on the DPC’s agenda.

The penalty imposed is also a small fraction (just over 0.1%) of Twitter’s full-year 2019 revenue, significantly less than the maximum of 4% of global annual turnover allowed under the GDPR (or the 2% maximum for the specific infringements in this breach case).

The size of the fine calculated by Ireland was one of the points of contention raised by other EU DPAs during the review of the draft decision – the DPC initially proposed an even smaller fine (ranging from 0.005% to 0.01% of Twitter’s annual turnover; or between €135k and €275k).

The Article 65 intervention compelled Ireland to increase the penalty (though only modestly), with the EDPB issuing a binding directive that Ireland reassess the calculation “so as to ensure it is appropriate to the facts of the case”. (The EDPB did not specify the required amount of the increase.)

We have contacted the DPC for further comment.

EU DPAs also held differing views on the controller/processor status of Twitter’s Irish business versus its US parent company – with Ireland designating Twitter Ireland as the data controller and Twitter Inc as the processor, a classification that may have been intended to limit its liability.

Therefore, this first cross-border GDPR decision appears to be more of a hindrance than a milestone for the Commission as 2020 draws to a close.

There is little for commissioners to celebrate, despite their suggestion earlier in the year that a decision from Ireland would address concerns about GDPR enforcement. The negative marks against the bloc’s record on digital enforcement remain prominent, coinciding with the Commission’s plan to aggressively pursue platform regulation.

Questions regarding enforcement will continue to arise.

https://twitter.com/maxschrems/status/1338812921212702722

https://twitter.com/tim2040/status/1338808081719971840

Update: A spokesperson for the DPC referenced pages seven through fourteen of the decision (pages 175 to 182) – which detail the rationale for calculating the fine level – for what it considers “moderately serious” infringements of the GDPR.

“I am satisfied that a fine in this amount will be effective, proportionate and dissuasive, taking into account all of the circumstances of this case,” the DPC stated, adding: “In addition, given that the fine which I have now decided to impose represents an increase of approximately 67% on the upper level of the range of the fine previously proposed in the Draft Decision, I consider that the fine imposed accords with the binding direction of the EDPB.”

Regarding the controller/processor designation, the spokesperson said:

This report has been updated with a statement from Twitter and additional details from the Article 65 decision