The European Data Protection Board (EDPB) has made its first binding decision over a fine against Twitter for breach of GDPR by Twitter pursuant to its powers under Article 65 of GDPR in its “Decision 01/2020 on the dispute arisen on the draft decision of the Irish Supervisory Authority regarding Twitter International Company under Article 65(1)(a) GDPR”.
What did Twitter do
Twitter’s fine was imposed earlier in December for failing to promptly declare and document a data breach under the General Data Protection Regulation (GDPR). Under Article 33 GDPR, on becoming aware of a breach, a data controller must notify its National DPA of the breach within 72 hours, unless it is clear that the breach “…is unlikely to result in a risk to the rights and freedoms of natural persons.”
Twitter’s breach related to the “Protect Your Tweets” feature in Twitter, which had a bug for Android users, meaning those users who had set their tweets to private, could still be accessed publicly when the user made changes to its account settings.
The data controller was Twitter International Company (“TIC”), based in Dublin. Twitter Inc. (“TUS”), in the US, was the data processor.
TUS received a bug report, on 26 December 2018. The bug was assessed by an outsourced company on 29 December. TUS then reviewed the assessment on 2 January 2019, and took advice on it from their lawyers. TUS was advised that there was a personal data breach, and therefore pursuant to GDPR, there was an obligation to notify.
Due to what appears to be communication issues, the advice was not relayed to TIC until over a week later, and TIC notified the Data Protection Committee (DPC) in Ireland on 8 January 2020.
Twitter therefore appeared to have contravened Article 33 of GDPR by failing to notify the Irish DPC within 72 hours of becoming aware of the potential data breach.
Investigation by the Irish Data Protection Committee
The DPC investigation of the breach looked at:
- Had TIC breached the 72 hour requirement under Article 33(1) GDPR?; and
- Had TIC breached the requirement under Article 33(5), to document any personal data breaches in sufficient detail to allow the relevant National DPA to verify compliance with Art 33(1)
Clearly the notification took longer than the 72 hour requirement, however Twitter, TIC, argued that it notified within 72 hours of being informed by Twitter, TUS, and that Article 33 requires the data controller to notify within 72 hours, however in this instance, it was due to delays by the processor (TUS) that they had not done so, therefore the 72 hour clock could only run from the point TIC was actually made aware of the breach.
As for Article 33(5), the DPC questioned the recording of the breach by TIC. In particular, it took issue with TIC’s failure to carry out any form of risk assessment once aware of the breach, to assess the level of potential harm to affected users. Acting swiftly in these situations is important to try to curtail the impact of any potential data breach. TIC’s approach had been instead to assume that there was probably a data breach. The volume of affected users about 89,000 in the EU from 2017-2019 and also more going back as far as 2014.
TIC argued that the information over the breach provided to the DPC was sufficient, and that its processes was on the basis of Breach Notification Guidelines provided by the EU. It cited incident reports, the experience of incident management officers at Twitter, and its offer to the DPC to provide sworn affidavits as evidence of its compliance and adherence to best practices.
The DPC’s take
The Commissioner of the DPC noted that the purpose the notification process under of Art 33(1) was to ensure that National Data Protection Agency’s were told of breaches in enough time to assess potential harm to data subjects, and if necessary, direct data controllers to take necessary protective and remedial actions. It was stated:
“I consider that, having regard to the controller’s overall responsibility and accountability under the GDPR, the controller must ensure that, by means of an effective process agreed with its processor, it is made aware of personal data breaches in such a manner as to enable compliance with its own obligation under Article 33(1).”
“… the controller must, in these circumstances, be considered as having constructive awareness of the personal data breach through its processor, such that its obligation to notify under Article 33(1) continues to apply.” […] “The alternative application of Article 33(1), and that being suggested by TIC, whereby the performance by a controller of its obligation to notify is, essentially, contingent upon the compliance by its processor with its obligations under Article 33(2), would undermine the effectiveness of the Article 33 obligations on a controller.”
The DPC ruled that TIC had constructive knowledge of the breach and could be deemed to have been aware of it on 3 January 2019 (the point where it ought to have been aware), meaning the 72 hour time period expired on 6 January.
The DPC noted that in the event of a breach, a data controller must record:
- Information relating to the controller’s assessment of whether the incident / event comprised a personal data breach…;
- Information relating to or outlining the controller’s assessment of risk posed by the personal data breach…;
- In the case of a delayed notification, information in relation to the reasons for the delay, including details of the factors that caused the delay…;
- Detailed internal records of all breaches need to be kept in order to comply with Article 33(5).
TIC were deemed to fall short of this standard and therefore to be in breach of Articles 33(1) and 33(5).
The cap for breaches of Article 33 is a maximum of 2% of global turnover. The turnover taken was that of Twitter the parent co., not TIC, the Irish arm of Twitter, on the grounds that the parent exerted “decisive” control and influence over TIC’s operations. National DPAs have discretion as to what amount of fine to levy, up to the maximum 2%.
Who is the EDPB?
The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. It has the power under Article 65 of the GDP Regulations to review a member state’s data protection supervisory body decision in the event that it is disputed.
Why was the matter referred to EDPB?
The decision of the Irish DPC was referred to EDPB for determination because the decision was objected to by eight other National DPAs (Austria, Germany, Denmark, Spain, France, Hungary, Italy and the Netherlands).
We will not look at each objection separately, but what where the objections about? … The objections were in fact over the level of the fine made, which other supervisory bodies did not believe where sufficiently harsh enough.
The German DPA suggested a fine as high as $26.92 million (about 0.75% of Twitter’s global turnover) for the Article 33 infringements. This extreme suggestion could be an indicator and sign of things to come that any organisation that is currently considering which country in which to set up within the EU should take note of. It could be seen as harsh for such levels of fines to be given, especially in this instance where although the 72 hour timeframe was not adhered to, the rationale behind that 72 hour timeframe to ensure any data breach is mitigated as quickly as possible, does not quite apply given that the breaches were dating back to 2014. A further 24 hours would not have made a difference to the actual Twitter users affected. Notwithstanding this, the decision (and the suggestions by other Member States shows the prevailing attitude around the GDPR and organisations should take note that their obligations are serious ones).
In this case, the decision of Ireland’s supervisory body to fine “Twitter” 450,000EUR for breaching data protection laws has been upheld. Its the first decision of its kind under Article 65 and highlights the EU’s commitment to upholding strict data protection laws, although the EDPB did not apply the suggestions of certain member states to apply an even harsher penalty.
As a side note, the differences in approach between different member states highlights the need for Article 65 and the EDPB, to ensure standards for GDPR are kept consistent throughout the EU. Without this objective standard, the application of GDPR could become nonsensical and even result in global businesses choosing which member state to base themselves in in order to ensure they are not held to too harsh a standard for any data breaches they may invoke.
Does the Decision serve as an effective deterrent to Organisations to ensure they protect users’ personal data?
Twitter and the like is always going to be subject to harsh enforcement so to make an example of the very top echelon of tech firms, and to show GDPR’s teeth in practice. Granted, the level of fine in this case is a drop in the ocean for a company like Twitter. It could be argued that the level of fine is not harsh enough, given the global turnover of Twitter. However having said that, and as discussed above, the infraction by Twitter and the delay by some 24 hours to comply with its notifying obligations would not have made a difference to its affected users, as the bug appears to have caused issue for a significant time already. Further, the maximum fine to be levied under GDPR is up to a maximum of 2% of turnover. This is a cap, not a target, and serves as a deterrent to ensure compliance by firms for any deliberate data breaches or careless acts that harm an organisations users or result in a significant data breach. The very real possibility of being penalised for failing to comply with GDPR is a deterrent and reason alone for firms, big and small, to comply and take note of their data protection duties.
What is clear though is that GDPR is not a case of simply making provisions in your terms and conditions and ticking the compliance box. It is an ongoing process that requires monitoring and safeguarding processes to be put in place by every organisation that handles personal data.
Tech firms especially must audit their privacy and data protection policies regularly to ensure they are both compliant and effective. They should also conduct regular training for their relevant employees so that they know what their notifying obligations are in the event of a breach.
It will be interesting to follow developments now that the UK has left the EU. The UK will adopt an adapted version of the GDPR, with the same standards, principles and maximum fines, applying to the UK only. This means UK firms may find themselves subject to different fine levels than that of their EU counterparts.
Which Organisations does this impact?
Data Controllers are organisations that obtain data and use it for a particular purpose: for example, if you are collecting data for executing sales orders.
Data Processors store data: for example, if you store customer contact details for marketing purposes after a sale.
You may be both a Data Controller and Data Processor, or you may act as a Data Controller and outsource data to a Data Processor: for example, if you forward data onto a third party cloud storage provider for storing customer records or mailing lists. You are legally liable for any personal data processed. As a Data Controller you also have a duty to ensure that any third party organisation you have shared data with are also GDPR compliant.
As referred to in a previous article on the duties imposed on organisations by GDPR, Article 5 sets out the General Principles that organisations operating in EU (and UK currently) must adhere to:
The General Principles
GDPR is based upon General Principles to be adhered to (Art. 5). It provides that any personal data should be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified and legitimate purposes and not used in a manner that is incompatible with those purposes;
- adequate, relevant and limited to only what is necessary;
- accurate and, where necessary, kept up to date;
- kept for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Compliance with GDPR is mandatory for those carrying on businesses in Europe. In UK the ICO Guidance is helpful for organisations to consult to ensure they are compliant.
It can now be seen in practice, that GDPR is a regulation with real teeth and the EU is intent on seeing it properly applied. It is something all businesses with a presence in EU/UK must take seriously and be familiar with to ensure that they do not fall foul of the rules, and of course – the reason for the regulation – so that their customer’s data is secure and protected and in the event of a breach remedial action to protect those subject to such breach can be taken.
How Ai Law can help:
It is important to ensure you have up to date terms of business and that your contract terms reflect the current laws on data protection. It is also necessary to carry out a data audit to assess how people’s personal data flows through your business and then how to protect it. This is increasingly important for internet based businesses and marketing businesses.
If you are unsure about your compliance and would like a review of your terms of business or website terms, or a review of your data audits, speak to us today by clicking here.