Data Protection Commission Imposes a €450,000 Fine on Twitter for a GDPR Data Breach December 2020

TECHNOLOGY AND INNOVATION Data Protection Commission Imposes a €450,000 fine on Twitter for a GDPR Data Breach December 2020

The Data Protection Commission has announced that it has imposed a €450,000 fine on Twitter as a result of Twitter’s response to a data breach that occurred in 2018.

Ireland Law Firm of the Year 2020 The Data Protection Commission (the between 5 September 2017 and 11 Chambers Europe Awards “DPC”) announced on 15 December 2020 January 2019. However, while the data Ireland Law Firm of the Year 2020 that it has imposed an administrative breach in question was recognised by International Financial Law Review (IFLR) fine of €450,000 on Twitter International Twitter internally on 26 December 2018, Europe Awards Company (“Twitter”) as a result of that there was an internal delay during the Best Firm in Ireland 2020 & 2019 company’s handling of, and response Christmas holiday period which resulted Europe Women in Business Law Awards to, a data breach. The data breach in in Twitter ultimately notifying the DPC of Best Firm for Talent Management (2020); question, which occurred in December the breach on 8 January 2019. Minority Women Lawyers (2020 & 2019); 2018, involved a technical issue which Mentoring Programme (2019 & 2018) In light of the cross-border nature of the Europe Women in Business Law Awards resulted in some Twitter users’ protected processing of personal data that was the tweets becoming publicly available to Best National Firm for Women in Business Law other viewers. The DPC found that Twitter subject of the breach, the DPC, as the 2019 & 2018 lead supervisory authority for Twitter, Europe Women in Business Law Awards infringed Articles 33(1) and 33(5) of the General Data Protection Regulation (the cooperated with other supervisory Ireland M&A Legal Adviser of the Year 2019 & authorities concerned with the intention “GDPR”) as a result of its failure to notify 2018 of reaching a consensus on this matter Mergermarket European M&A Awards the DPC of the breach within the statutory 72-hour notification period and its failure pursuant to Article 60 GDPR. Accordingly, Ireland Law Firm of the Year 2019 & 2018 the DPC submitted its draft decision Who’s Who Legal to adequately document the breach. to the other supervisory authorities Most Inclusive Law Firm 2019 In this briefing, we examine the concerned in May 2020 in relation to the Managing Partners’ Forum Awards significance of this decision in the inquiry it had completed into Twitter and Ireland Client Service Law Firm of the Year 2018 wider context of the application and its compliance with Articles 33(1) and Chambers Europe Awards enforcement of the GDPR in Ireland and 33(5) of the GDPR. However, the DPC across the EU. and the other supervisory authorities concerned were ultimately unable to a reach a consensus. The Decision-making Process The DPC launched an inquiry into Twitter As a result, in accordance with the on 22 January 2019 following receipt consistency mechanism provided for of a data breach notification from under Chapter VII of the GDPR, which Twitter. The programming error that was aims to achieve the consistent application responsible for the breach in question of the GDPR throughout the EU, the may have existed since 2014 and affected matter was referred to the European at least 88,726 users in the EU and EEA Data Protection Board (the “EDPB”)

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright. © 2020 Arthur Cox LLP arthurcox.com Data Protection Commission Imposes a €450,000 fine on Twitter for a GDPR Data Breach 2

under Article 65 of the GDPR. Pursuant thereunder. The EDPB adopted its announced on 15 December 2020 that to this provision, the EDPB may adopt a binding decision on 9 November 2020 it had delivered its final decision on the binding decision in accordance with the and, in accordance with its obligations basis of the EDPB’s binding decision. dispute resolution mechanism provided under Article 65(6) of the GDPR, the DPC

Twitter Investigation – Timeline

22 May 9 December DPC circulates DPC issues final draft Decision Decision to to other SAs Twitter

Possible date 14 March 8 January 9 November of Twitter Draft decision Twitter notifies EDPB reaches Programming issued by DPC DPC decision Error to Twitter

2014 2018 2019 2020

26 December 27 April 22 January 17 November Error identified Twitter submits DPC commences EDPB Decision as a personal comments on investigation notified to DPC data breach draft decision by Twitter

8 September 15 December EDPB Dispute DPC announces Resolution final Decision Procedure Commences

What are the Key Implications of this to €275,000). However, the EDPB, in its high that it would render the illegal data Decision? binding decision, required the DPC to re- processing unprofitable.” assess and increase the level of the fine to The Twitter case marks the first time The DPC took a more measured view the EDPB has issued a binding decision be imposed on Twitter “in order to ensure it fulfils its purpose as a corrective measure and determined that the €450,000 fine as a result of the use of the dispute was in keeping with the nature of the resolution mechanism under the and meets the requirements of effectiveness, dissuasiveness and proportionality”. In the infringement that occurred and the time GDPR since its introduction in May period. In a statement responding to the 2018. Notably, the DPC, Helen Dixon, statement announcing its final decision, the DPC described the increased DPC’s decision, Twitter pointed out that has stated her dissatisfaction with the the delay in reporting the relevant breach process for reaching a consensus with administrative fine of €450,000 as an“ effective, proportionate and dissuasive occurred as “an unanticipated consequence the other supervisory authorities due to of staffing between Christmas Day 2018 and measure”. its length and complexity. However, the New Years’ Day” so it seems fair to assume Commissioner recognised that this case This is unlikely to have appeased that the DPC took account of the fact marked the first time the process was some of the other EU Supervisory that a delay over the Christmas holiday used and, as such, there is the possibility Authorities who were seeking much period did not necessarily point to a wider of improvements in the process in future higher fines. For example, the German recurrent or systemic fault in Twitter’s investigations. Supervisory Authorities advocated for reporting procedures. It is also notable A Closer Look at the Fine Imposed a fine of between €7,348,035.00 and that while Twitter took steps to remedy €22,044,105.00. The German rationale the initial source of fault and cooperated It is particularly significant that the Twitter was based on the fact that “As Twitter’s with the DPC throughout its inquiry, the case marks the first time the DPC has business model is based on processing degree of cooperation by Twitter was imposed a fine on a ‘big tech’ company data, and as Twitter generates turnover found to not amount to a mitigating factor under the GDPR. The DPC in its draft mainly through data processing, the DE in the final decision reached. The DPC decision had initially proposed to impose SA considers that a dissuasive fine in this noted that this was a statutory obligation a fine within the range of US$150,000 specific case would therefore have to beso and Twitter did not go beyond such duty. - US$300,000 (approximately €135,000

arthurcox.com Data Protection Commission Imposes a €450,000 fine on Twitter for a GDPR Data Breach 3

Ramifications for the Future letter of the law in terms of the process, before we have a sufficient body of other The Twitter case has shone a light on the the decision is well reasoned and, at 188 DPC decisions to discern predictable tortuous nature of the consistency and pages, very detailed. While the decision outcomes to future investigations. cooperation mechanism under GDPR was revised on foot of the dispute Arguably many of the other live and on the lack of a consistent regulatory resolution mechanism, the DPC preserved investigations that await a final decision of policy among Supervisory Authorities its policy position that this was a matter the DPC will address more obvious harms as to how to apply corrective measures, which warranted a relatively modest fine to data subjects, and in turn may produce especially fines, in a manner that meets when assessed on its merits. starker outcomes. the Article 83 threshold of being “effective, However, it would be unwise to read too The authors would like to thank Clíodhna proportionate and dissuasive”. The case much into the case as it will be some time Golden for her contribution to this article. illustrates that the DPC followed the

OUR TEAM

Rob Corbet Colin Rooney Olivia Mullooly Rachel Benson Partner Partner Partner Professional Support Lawyer +353 1 920 1211 +353 1 920 1194 +353 1 920 1060 +353 1 920 1435 [email protected] [email protected] [email protected] [email protected]

Ian Duffy Ciara Anderson Eoghan Clogher Caoimhe Stafford Associate Associate Associate +353 1 920 2035 +1 415 829 4247 Associate +353 1 920 1405 [email protected] [email protected] +353 1 920 1328 [email protected] [email protected]

Aoife Coll Siobhán O’Shea Alison Peate Associate Trainee Trainee +353 1 920 1726 +353 1 920 1839 +353 1 920 1828 [email protected] [email protected] [email protected]

Dublin Belfast London New York San Francisco +353 1 920 1000 +44 28 9023 0007 +44 207 832 0200 +1 212 782 3294 +1 415 829 4247 [email protected] [email protected] [email protected] [email protected] [email protected] arthurcox.com