Ireland’s Data Protection Commission (DPC) has released Twitter Failing to quickly declare and properly document a data breach under Europe’s General Data Protection Regulation (GDPR) with a fine of € 450,000 (~ $ 547k).
This decision is notable because it is the first such cross-border GDPR The decision by the Irish watchdog, which is the leading EU privacy observer for many tech giants – a backlog of some 20+ ongoing cases at this point, including active investigations by Facebook, WhatsApp, Google, Apple and LinkedIn, to name some.
“The DPC investigation began in January 2019 after receiving a breech notification from Twitter and the DPC found that Twitter violated Articles 33 (1) and 33 (5) of the GDPR and failed to notify the breech on time. . Failure to adequately document the DPC and the violation. The DPC has imposed an administrative penalty of € 450,000 on Twitter as an effective, proportionate and disappointing measure, ”the regulator writes in a press release.
The GDPR requires most breaches of personal data, which must be reported to the concerned officer within 72 hours of notifying the supervisor.
The regulation also requires them to document what the data involved and how they have reacted to the security incident – so that the concerned data supervisor can check about compliance.
Twitter was found to be a failure in both cases.
We have reached out to the social media company for comment, including asking if it plans to accept and pay the decision – or if it is considering its legal options.
Update: Twitter has now sent a statement blaming Damien Kieran, its chief privacy officer and global data protection officer:
Twitter teamed up with the Irish Data Protection Commission (IDPC) to support its investigation. We have a shared commitment to online security and privacy, and we respect IDPC’s decision, which relates to failure in our incident response process. Twitter notified IDPC outside the 72-hour statutory notice period as a result of an unexpected result from employees between Christmas Day 2018 and New Year’s Day. We have made changes so that all the events that occur thereafter are reported to the DPC from time to time.
We take responsibility for this mistake and are fully committed to protecting the privacy and data of our customers, informing the public of issues that occur quickly and transparently through our work. We appreciate the decision this decision brings for companies and consumers around the breech notification requirements of GDPR. Our approach to these events is transparency and openness.
The company also told us that since this specific incident, where the 2018 leave period was delayed in reporting insufficient staff violations, it made a report of all relevant incidents to the DPC within the required 72-hour period is.
The DPC’s decision relates to a breach that Twitter publicly disclosed in January 2019 – when it called a bug in its ‘Tweet Protect’ feature, some Android users may have interpreted their tweets as non – The setting was applied to public. Their data has been exposed on the public internet since 2014. (Although the GPDR will apply to data exposed after May 2018.)
Earlier this year, Twitter had significantly more eggs on its face, following a security concern, including a high-profile account hijacking episode, after network credentials were used by hackers spreading crypto-scandals. A social engineering technique.
Ireland’s DPC, meanwhile, continues to face criticism for long enough to decide on major cross-border GDPR cases, where the impact on individual rights could affect hundreds of millions of European Internet users.
Last year Commissioner Helen Dixon said the first major decisions of the GDPR would come “early” in 2020.
The first cross-border decision in the event has surpassed the days before the end of the year – outlining the challenges for the block in effectively implementing its digital rule book against tech giants. (The GDPR technically began to come into force in May 2018, although platform giants have faced precious little enforcement so far.)
In this specific case, an additional period of some half-year was added to the time of the decision, after which Ireland submitted another DPA to the European Union for review, back in May, which was not accepted by all of them – Settling disagreements among the block’s data observers to trigger a majority vote mechanism in GDPR.
The European Data Protection Board has published this Article 65 decision and the full final decision on its website.
The final (now) final result on Twitter’s case comes at a pivotal time – with EU lawmakers due to set their next major piece of digital policy later today, in regional digitization by fulfilling a reassuring promise As an ambitious push to accelerate. All of this technology has European railings wrapped around it.
Yet with GDPR enforcement proves to be such a tedious, friction-ridden process that threatens to spark the nascent Digital Services Act and the Digital Market Act for several months (or years) before it becomes EU law – the whole strategy Raising questions about. One can be expected to act in the absence of effective (ie reasonable but fast) enforcement.
Due to the rattling of EU law and the block of regulatory frameworks, Europeans are losing faith here based on the rights they say they enjoy. To get relief.
Therefore, the Commission’s strategy of claiming expanded digital regulations will act as a public trust booster risk falling into the trough of disillusionment on the legislative proposal platform.
Simple words: You can’t allow your regulators to move so slowly and expect your rulebook to touch tech giants whose playbook is fast to disrupt the rule of law in their own business interests To move beyond.
The DPC’s decision in the Twitter case follows how a gap between EU policymakers sits around the bloc’s ‘powerful’ digital rules – and the grim reality of reality near. After two years of Twitter disbanding and waiting for a hammer that should be a relatively straightforward affair.
Data Breach is not, after all, an investigation into the legitimacy of Facebook’s business model versus GDPR, nor is it engrossed in the intricacies of Google’s EdTech – both are still open case files on the DPC’s desk.
The fine is also a fraction (~ 0.1%) of Twitter’s full-year 2019 revenue; Global annual turnover maximum exemption up to 4% for GDPR (or up to a maximum of 2% for special violations included in a breech case). This first cross-border GDPR decision, therefore, looks to be more of a milestone for the Commission than it was at the end of the 2020s.
There is not much for the commissioners to celebrate here, even though they suggested in the summer that the best response to GDPR enforcement enforcement concerns would be for Ireland to decide. The problem now is that the black mark against the block’s record on digital enforcement has been firmly set – as the Commission plans to go all in the platform regulation.
Questions on enforcement keep coming up.