The Data Protection Commission (DPC) has imposed an administrative fine of €450,000 on Twitter. The draft decision in this inquiry, having been submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR in May of this year, was the first one to go through the Article 65 (“dispute resolution”) process since the introduction of the GDPR and was the first Draft Decision in a “big tech” case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities.
The issue for which Twitter has been fined was cause by a bug affecting Android phone users. Where they changed the email address associated with that Twitter account, their tweets became unprotected and consequently were accessible to the wider public without the user’s knowledge.
The DPC has taken into an account the following:
• the number of users affected by the underlying bug; and
• the nature of the processing operations that gave rise to the Breach.
Again, the Commissioner has given significant weight to the expectation individuals had when they chosen to keep their tweets protected:
“the large scale of the affected user segment gives rise to the possibility of a much broader spectrum of damage arising from the Breach, particularly given the nature of the service being offered by TIC” and “the likelihood that many users will have relied on the function of keeping “tweets” private to share information or views (in the comfort of what they believe to be a private and controlled environment) that they would not ordinarily release into the public domain.”
Twitter hasn’t documented the breach properly and the DPC could not assess the breach efficiently, requiring them to raise multiple queries concerning the facts of the breach and circumstances around the notifications of the breach.
The Commissioner has confirmed that the breach has affected a significant cohort of individuals (88,726 in the EU/EEA) and that should be taken into account in deciding to impose an administrative fine and, also, in terms of the level of that fine.
The DPC also added, the objective of Article 33(1) is to ensure prompt notification of data breaches to supervisory authorities so that a supervisory authority can assess the circumstances of the data breach, including the risks to data subjects, and decide whether the interests of data subjects require to be safeguarded, to the extent possible, by mitigating the risks to them arising from a data breach, by action on the part of the supervisory authority – for example by requiring the controller to notify data subjects about the breach.
A controller’s obligation to notify a Supervisory Authority cannot depend on the compliance by its processor with its obligations under Article 33(2) GDPR.
Twitter hasn’t performed a backward-looking analysis to identify the risks to data subjects arising from the Breach.
The Commissioner has noted “In considering the application of the principles of effectiveness, proportionality and dissuasiveness of the administrative fine, I consider that a fine cannot be effective if it does not have significance relative to the revenue of the data controller. In addition, I consider that, in order to be “effective”, a fine must reflect the circumstances of the case at hand. In this case, and as I have outlined above, I consider the infringements under Article 33(1) and 33(5) to be moderately serious in terms of their gravity”.
The information in this article has been taken from the DPC’s decision and does not represent the view of the author.