Twitter users have to wait to longer to find out what penalties, if any, the platform faces under the European Union’s General Data Protection Regulation (GDPR) for a data breach that dates back around two years.
The tech firm’s lead regulator in the region, Ireland’s Data Protection Commission (DPC), began investigating an earlier Twitter breach in November 2018 — completing the probe earlier this year and submitting a draft decision to other EU DPAs for review in May, just ahead of the second anniversary of the GDPR’s application.
In a statement on the development, Graham Doyle, the DPC’s deputy commissioner, told TechCrunch: “The Irish Data Protection Commission (DPC) issued a draft decision to other Concerned Supervisory Authorities (CSAs) on 22 May 2020, in relation to this inquiry into Twitter. A number of objections were raised by CSAs and the DPC engaged in a consultation process with them. However, following consultation a number of objections were maintained and the DPC has now referred the matter to the European Data Protection Board (EDPB) under Article 65 of the GDPR.”
Under the regulation’s one-stop-shop mechanism, cross-border cases are handled by a lead regulator — typically where the business has established its regional base. For many tech companies that means Ireland, so the DPC has an oversized role in the regulation of Silicon Valley’s handling of people’s data.
This means it now has a huge backlog of highly anticipated complaints relating to tech giants including Apple, Facebook, Google, LinkedIn and indeed Twitter. The regulator also continues to face criticism for not yet ‘getting it over the line’ in any of these complaints and investigations pertaining to big tech. So the Twitter breach case is being especially closely watched as it looks set to be the Irish DPC’s first enforcement decision in a cross-border GDPR case.
Last year commissioner Helen Dixon said the first of these decisions would be coming “early” in 2020. In the event, we’re past the halfway mark of the year with still no enforcement to show for it. Though the DPC emphasizes the need to follow due process to ensure final decisions stand up to any challenge.
The latest delay in the Twitter case is a consequence of disagreements between the DPC and other regional watchdogs which, under the rules of GDPR, have a right to raise objections on a draft decision where users in their countries are also affected.
It’s not clear what specific objections have been raised to the DPC’s draft Twitter decision, or indeed what Ireland’s regulator has decided in what should be a relatively straightforward case, given it’s a breach — not a complaint about a core element of a data-mining business model.
Far more complex complaints are still sitting on the DPC’s desk. Doyle confirmed that a complaint pertaining to WhatsApp’s legal basis for sharing user data with Facebook remains the next most progressed in the stack, for example.
So, given the DPC’s Twitter breach draft decision hasn’t been universally accepted by Europe’s data watchdogs it’s all but inevitable Facebook-WhatsApp will go through the same objections process. Ergo, expect more delays.
Article 65 of the GDPR sets out a process for handling objections on draft decisions. It allows for one month for DPAs to reach a two-thirds majority, with the possibility for a further extension of another month — which would push a decision on the Twitter case into late October.
If there’s still not enough votes in favor at that point, a further two weeks are allowed for EDPB members to reach a simple majority. If DPAs are still split the Board chair, currently Andrea Jelinek, has the deciding vote. So the body’s role in major decisions over big tech looks set to be very key.
We’ve reached out to the EDPB with questions related to the Twitter objections and will update this report with any response. Update: In a statement, Jelinek, said: “I can confirm that the Irish DPC has triggered an Art 65 procedure and that the EDPB will work on this issue [as] foreseen in Art 65 GDPR (dispute resolution by the board) within the given timeframe.”
The Article 65 process exists to try to find consensus across a patchwork of national and regional data supervisors. But it won’t silence critics who argue the GDPR is not able to be applied fast enough to uphold EU citizens’ rights in the face of fast-iterating data-mining giants.
To wit: Given the latest developments, a final decision on the Twitter breach could be delayed until November — a full two years after the investigation began.
Earlier this summer a two-year review of GDPR by the European Commission, meanwhile, highlighted a lack of uniformly vigorous enforcement. Though commissioners signalled a willingness to wait and see how the one-stop-shop mechanism runs its course on cross-border cases, while admitting there’s a need to reinforce cooperation and co-ordination on cross border issues.
“We need to be sure that it’s possible for all the national authorities to work together. And in the network of national authorities it’s the case — and with the Board [EDPB] it’s possible to organize that. So we’ll continue to work on it,” justice commissioner, Didier Reynders, said in June.
“The best answer will be a decision from the Irish data protection authority about important cases,” he added then.