On December 15, 2020, the Irish Data Protection Commission (“DPC”) fined Twitter International Company (“TIC”) EUR 450,000 (USD 500,000) following a narrow investigation into TIC’s compliance with obligations to (a) notify a personal data breach within 72 hours under Article 33(1) GDPR; and (b) document the facts of the breach under Article 33(5) GDPR. The process to investigate these points took a little under two years, and resulted in a decision of nearly 200 pages.
This is the first time that the DPC has issued a GDPR fine as a lead supervisory authority (“LSA”) after going through the “cooperation” and “consistency” mechanisms that enable other authorities to raise objections and the EDPB to resolve disagreements. The delay in the process and details in the EDPB binding resolution suggest that this was a somewhat arduous process. Several authorities raised objections in response to the DPC’s draft report – regarding the identity of the controller (Irish entity and/or U.S. parent), the competence of the DPC to be LSA, the scope of the investigation, the size of the fine, and other matters. Following some back and forth — most authorities maintained their objections despite the DPC’s explanations — the DPC referred the matter to the EDPB under the GDPR’s dispute resolution procedure. The EDPB considered the objections and dismissed nearly all of them as not being “relevant and reasoned”, but did require the DPC to reassess the level of the proposed fine.
Process aside, the DPC’s decision contains some interesting points on when a controller is deemed to be “aware” of a personal data breach for the purpose of notifying a breach to a supervisory authority. This may be particularly relevant for companies based in Europe that rely on parent companies in the US and elsewhere to process data on their behalf. The decision also underlines the importance of documenting breaches and what details organizations should include in these internal reports.
Twitter users can either make tweets public (in which case they are viewable by anyone) or “protected” (meaning only the user’s followers can see them). Due to a bug, if a user with “protected” tweets changed the email address on their Twitter account using an Android device their tweets would become public without their knowledge. A third-party security company discovered the bug and informed Twitter, Inc. (TIC’s processor). After reviewing the bug reports, Twitter, Inc. determined that the incident might have GDPR implications and commenced its internal procedure for managing personal data breaches. Following an initial period of investigation TIC notified the DPC.
Awareness and Timing
The DPC found that TIC did not comply with its obligations under Article 33(1) of the GDPR to notify a personal data breach within 72 hours of becoming aware of it. It found that Twitter, Inc. should have notified TIC earlier than it did (i.e., when Twitter, Inc. determined that the issue was potentially a personal data breach). According to the DPC, TIC therefore ought to have been aware of the breach at this time, and so the 72-hour reporting window commenced. The DPC made this finding based on the following:
- The timing of a controller’s “awareness” must be viewed in the context of the controller’s ability to become aware of the breach. In other words, the requirement that a controller notify a breach within 72 hours after becoming aware of it is predicated on the controller ensuring that it has systems and procedures in place with the processor to facilitate prompt awareness and timely notification of breaches.
- Moreover, if the breach procedure agreed with the processor is not effective, fails, or is not followed by the processor, such that the controller’s awareness and notification of the breach is delayed, the DPC will consider the controller to be constructively aware of the breach vis-à-vis the processor. As a result, the 72-hour window for notification will continue to apply.
The above rises from the fact that the controller is tasked with notifying a breach under Article 33(1), and has overall responsibility for ensuring compliance with the GDPR under Article 5(2).
Documenting a Breach
The DPC also found TIC had breached its obligations under Article 33(5) of the GDPR to document personal data breaches. The DPC set out in its decision the following information it believes a controller should document in relation to a breach:
- The decision to notify (Article 33(1)): This section of the record should include the controller’s assessment of the breach, including details of the event, the personal data breached and the controller’s assessment of the risk to data subjects resulting from the breach. Importantly, in the case of a delayed notification, this section should contain information about the factors that caused the delay.
- Obligation on a processor to notify a controller (Article 33(2)): This section of the record should contain information about when the processor became aware of the breach and how, when it notified the controller and any reasons for the delay in doing so.
- Details of the breach to be notified (Article 33(3)): This provision sets out the required contents of the controller’s notification to the supervisory authority. The DPC confirms, however, that it expects to see the information set out in Articles 33(a), (c) and (d) of the GDPR documented in a record of the personal data breach or register of personal data breaches.
- Staged approach/delay (Article 33(4)): This section of the record should contain information relating to the availability, and timing, of how knowledge and information on the breach evolved. This information is particularly relevant if the controller provides information to the DPC on a phased basis as it will assist the DPC in determining if the phased approach was justified.
Taking the above into account, the DPC found that TIC’s internal incident report and records were not sufficiently comprehensive. In particular, the DPC found that the report did not contain any reference to, or explanation of, the issues that led to the delay in TIC being notified of the breach, nor did it address how TIC assessed the risk to users arising from the breach.
Dispute Resolution Procedure
The DPC submitted its draft decision to the other supervisory authorities via the EDPB cooperation procedure in April 2020. Several authorities submitted objections to the DPC about the draft decision, on matters such as the infringements identified by the DPC, the role of Twitter as (sole) controller and the amount of the proposed fine. The DPC responded, but most of the authorities that raised objections stated that they maintained these objections after reading the DPC response. The DPC therefore referred the matter to the EDPB to initiate the dispute resolution procedure.
In its ruling, the EDPB dismissed most of the objections as not being “relevant and reasoned” (the standard under GDPR), often because the objections failed to demonstrate that the DPC’s draft decision would pose a significant risk to individuals if it was not amended to take the objections into account.
The EDPB did require the DPC, however, to amend its draft decision to increase the level of the fine.
As a result of the EDPB’s recommendation, the DPC increased its fine from a proposed range of USD 150,000—300,000 to USD 500,000 (EUR 450,000). In its decision, the DPC noted that it considered all of the factors set out in Article 83(2)(a) to (k) of the GDPR when calculating the fine. In particular, the DPC had regard to the nature, gravity and duration of the infringements concerned, taking account the nature, scope and purpose of the processing and the number of data subjects affected, as well as the alleged negligent character of the infringement.