On December 15, 2020, the Irish Data Protection Commission (“DPC”) fined Twitter International Company (“TIC”) EUR 450,000 (USD 500,000) following a narrow investigation into TIC’s compliance with obligations to (a) notify a personal data breach within 72 hours under Article 33(1) GDPR; and (b) document the facts of the breach under Article 33(5) GDPR. The process to investigate these points took a little under two years, and resulted in a decision of nearly 200 pages.

This is the first time that the DPC has issued a GDPR fine as a lead supervisory authority (“LSA”) after going through the “cooperation” and “consistency” mechanisms that enable other authorities to raise objections and the EDPB to resolve disagreements. The delay in the process and details in the EDPB binding resolution suggest that this was a somewhat arduous process. Several authorities raised objections in response to the DPC’s draft report – regarding the identity of the controller (Irish entity and/or U.S. parent), the competence of the DPC to be LSA, the scope of the investigation, the size of the fine, and other matters. Following some back and forth — most authorities maintained their objections despite the DPC’s explanations — the DPC referred the matter to the EDPB under the GDPR’s dispute resolution procedure. The EDPB considered the objections and dismissed nearly all of them as not being “relevant and reasoned”, but did require the DPC to reassess the level of the proposed fine.

Process aside, the DPC’s decision contains some interesting points on when a controller is deemed to be “aware” of a personal data breach for the purpose of notifying a breach to a supervisory authority. This may be particularly relevant for companies based in Europe that rely on parent companies in the US and elsewhere to process data on their behalf. The decision also underlines the importance of documenting breaches and what details organizations should include in these internal reports.

Background

Twitter users can either make tweets public (in which case they are viewable by anyone) or “protected” (meaning only the user’s followers can see them). Due to a bug, if a user with “protected” tweets changed the email address on their Twitter account using an Android device their tweets would become public without their knowledge. A third-party security company discovered the bug and informed Twitter, Inc. (TIC’s processor). After reviewing the bug reports, Twitter, Inc. determined that the incident might have GDPR implications and commenced its internal procedure for managing personal data breaches. Following an initial period of investigation TIC notified the DPC.

Breach Notification

 Awareness and Timing

 The DPC found that TIC did not comply with its obligations under Article 33(1) of the GDPR to notify a personal data breach within 72 hours of becoming aware of it. It found that Twitter, Inc. should have notified TIC earlier than it did (i.e., when Twitter, Inc. determined that the issue was potentially a personal data breach). According to the DPC, TIC therefore ought to have been aware of the breach at this time, and so the 72-hour reporting window commenced. The DPC made this finding based on the following:

  • The timing of a controller’s “awareness” must be viewed in the context of the controller’s ability to become aware of the breach. In other words, the requirement that a controller notify a breach within 72 hours after becoming aware of it is predicated on the controller ensuring that it has systems and procedures in place with the processor to facilitate prompt awareness and timely notification of breaches.
  • Moreover, if the breach procedure agreed with the processor is not effective, fails, or is not followed by the processor, such that the controller’s awareness and notification of the breach is delayed, the DPC will consider the controller to be constructively aware of the breach vis-à-vis the processor. As a result, the 72-hour window for notification will continue to apply.

The above rises from the fact that the controller is tasked with notifying a breach under Article 33(1), and has overall responsibility for ensuring compliance with the GDPR under Article 5(2).

Documenting a Breach

The DPC also found TIC had breached its obligations under Article 33(5) of the GDPR to document personal data breaches. The DPC set out in its decision the following information it believes a controller should document in relation to a breach:

  • The decision to notify (Article 33(1)): This section of the record should include the controller’s assessment of the breach, including details of the event, the personal data breached and the controller’s assessment of the risk to data subjects resulting from the breach. Importantly, in the case of a delayed notification, this section should contain information about the factors that caused the delay.
  • Obligation on a processor to notify a controller (Article 33(2)): This section of the record should contain information about when the processor became aware of the breach and how, when it notified the controller and any reasons for the delay in doing so.
  • Details of the breach to be notified (Article 33(3)): This provision sets out the required contents of the controller’s notification to the supervisory authority. The DPC confirms, however, that it expects to see the information set out in Articles 33(a), (c) and (d) of the GDPR documented in a record of the personal data breach or register of personal data breaches.
  • Staged approach/delay (Article 33(4)): This section of the record should contain information relating to the availability, and timing, of how knowledge and information on the breach evolved. This information is particularly relevant if the controller provides information to the DPC on a phased basis as it will assist the DPC in determining if the phased approach was justified.

Taking the above into account, the DPC found that TIC’s internal incident report and records were not sufficiently comprehensive. In particular, the DPC found that the report did not contain any reference to, or explanation of, the issues that led to the delay in TIC being notified of the breach, nor did it address how TIC assessed the risk to users arising from the breach.

Dispute Resolution Procedure

The DPC submitted its draft decision to the other supervisory authorities via the EDPB cooperation procedure in April 2020. Several authorities submitted objections to the DPC about the draft decision, on matters such as the infringements identified by the DPC, the role of Twitter as (sole) controller and the amount of the proposed fine. The DPC responded, but most of the authorities that raised objections stated that they maintained these objections after reading the DPC response. The DPC therefore referred the matter to the EDPB to initiate the dispute resolution procedure.

In its ruling, the EDPB dismissed most of the objections as not being “relevant and reasoned” (the standard under GDPR), often because the objections failed to demonstrate that the DPC’s draft decision would pose a significant risk to individuals if it was not amended to take the objections into account.

The EDPB did require the DPC, however, to amend its draft decision to increase the level of the fine.

Fine Amount

As a result of the EDPB’s recommendation, the DPC increased its fine from a proposed range of USD 150,000—300,000 to USD 500,000 (EUR 450,000). In its decision, the DPC noted that it considered all of the factors set out in Article 83(2)(a) to (k) of the GDPR when calculating the fine. In particular, the DPC had regard to the nature, gravity and duration of the infringements concerned, taking account the nature, scope and purpose of the processing and the number of data subjects affected, as well as the alleged negligent character of the infringement.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Shona O'Donovan Shona O'Donovan

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying…

Advising clients on a broad range of data protection, e-privacy and online content issues under EU, Irish, and UK law, Shóna O’Donovan works with her clients on technology regulatory and policy issues.
With multi-jurisdictional and in-house experience, Shóna advises global companies on complying with data protection laws in the EU. In particular, she represents organizations in regulatory investigations and inquiries, advises on children’s privacy issues and provides strategic advice on incident response. Shóna also advises clients on policy developments in online content and online safety.

In her current role, Shóna has gained experience on secondment to the data protection team of a global technology company. In a previous role, she spent seven months on secondment to the European data protection team of a global social media company.

Shóna’s recent pro bono work includes providing data protection advice to the International Aids Vaccine Initiative and a UK charity helping people with dementia, and working with an organization specializing in providing advice to states involved in conflict on documenting human rights abuses.

Photo of Paul Maynard Paul Maynard

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online…

Paul Maynard is an associate in the technology regulatory group in the London office. He focuses on advising clients on all aspects of UK and European privacy and cybersecurity law relating to complex and innovative technologies such as adtech, cloud computing and online platforms. He also advises clients on how to respond to law enforcement demands, particularly where such demands are made across borders.

Paul advises emerging and established companies in various sectors, including online retail, software and education technology. His practice covers advice on new legislative proposals, for example on e-privacy and cross-border law enforcement access to data; advice on existing but rapidly-changing rules, such the GDPR and cross-border data transfer rules; and on regulatory investigations in cases of alleged non-compliance, including in relation to online advertising and cybersecurity.