Twitter could face its first GDPR penalty within days

European data protection regulators have inched toward an enforcement decision for a Twitter breach that the company publicly disclosed in 2019, after a majority of EU data supervisors agreed to back a draft settlement submitted earlier by Ireland’s Data Protection Commission (DPC).

Twitter disclosed the bug in its ‘Protect your tweets’ feature at the start of last year — saying at the time that some Android users who’d applied its setting to make their tweets non-public may have had their data exposed to the public Internet since as far back as 2014.

A new data protection regime, meanwhile, came into force in the European Union in May 2018 — meaning the 2014-2019 breach falls under the EU’s General Data Protection Regulation (GDPR).

Ireland’s DPC is the lead supervisor authority in the Twitter case but the cross-border nature of its business means all EU data protection agencies have an interest and the ability to make “relevant and reasoned” objections to the draft. Objections to the DPC’s draft decision were duly raised over the summer — triggering a dispute resolution process for cross-border cases set out in the GDPR.

The European Data Protection Board (EDPB), a body which helps coordinate pan-EU regulatory activity, said today it has adopted its first Article 65 decision — referring to the mechanism for settling disagreement between the EU’s patchwork of data supervisors. This means that at least a two-thirds majority of the EU DPAs have backed the settlement.

“On 9 November 2020, the EDPB adopted its binding decision and will shortly notify it formally to the Irish SA,” it wrote in a statement.

Ireland’s deputy commissioner, Graham Doyle, confirmed the EDPB has informed it of an Article 65 decision — but declined to comment further at this stage.

Ireland’s DPC now has up to a month to issue a final decision.

“The Irish SA [supervisory authority] shall adopt its final decision on the basis of the EDPB decision, which will be addressed to the controller, without undue delay and at the latest one month after the EDPB has notified its decision,” the EDPB statement adds.

Details of any penalties Twitter may face — such as a fine — have not yet been confirmed. But the end of the process is now in sight.

GDPR places a legal obligation on data controllers to adequately protect personal data. Financial penalties for violations of the framework can scale up to 4% of a company’s annual global turnover. (Although, in the case of big tech, the largest GDPR fine to date remains a $57M fine slapped on Google by France’s CNIL.)

Unlike that Google case — which CNIL pursued ahead of Google moving its EU legal base to Ireland — the Twitter case is cross-border and will be the first such big tech GDPR case to be concluded once a final decision is out.

The EU’s flagship data protection regulation continues to face criticism over how long it’s taking for cases and complaints to be investigated and decisions issued — especially those related to big tech.

Last year the Irish regulator said its first cross-border GDPR decisions would be coming “early” in 2020. In the event its first one will arrive before the end of 2020 — but that’s a pace that’s unlikely to silence critics who argue EU regulators are not equipped for the complex, resource-intensive task of overseeing how big tech handles people’s data.

The Twitter breach case is also likely to be considerably less complex than some of the complaint-based GDPR investigations ongoing into big tech platforms — which include probes around the legal bases for Facebook to process user data and how Google’s ad exchange is using Internet users’ data. Yet the EDPB still allowed for a full extra month to the Article 65 process (instead of the default one month) because of what it described as “the complexity of the subject matter”. That hardly bodes well for more contentious cases.

Still, going through dispute resolution over cross-border cases may lead to greater consistency and help DPAs pick up enforcement pace over time.

The UK’s ICO looks like a bit of a cautionary tale in this regard — having recently taken the clippers to massive preliminary fines it announced in a couple of (non-big tech GDPR) data breach cases, meaning enforcement ended up being both later and less stinging than it had first appeared.

Despite critics’ claims that GDPR enforcement continues to be lacking in places where it should be hard-hitting, the question of how to effectively regulate big tech is one that EU lawmakers aren’t backing away from.

On the contrary, the Commission is set to lay out a legislative proposal next month to apply ex ante rules to dominant Internet platforms as part of a planned Digital Markets Act. Under the plans, so-called ‘gatekeepers’ will to be subject to a list of ‘dos and don’ts’ that’s slated to include controls on how they can share data. It could also see a push to create a pan-EU regulator to oversee major platforms. 

Such an approach could help to reduce the oversight burden facing a handful of EU DPAs with an outsized number of big tech giants on their books, such as the Irish DPC. But, again, there’s likely to be a long wait ahead before any new EU platform rules are in a position to be effectively enforced.