[BreachExchange] Twitter fined ~$550K over a data breach in Ireland’s first major GDPR decision

[Destry Winant]

https://techcrunch.com/2020/12/15/twitter-fined-550k-over-a-data-breach-in-irelands-first-major-gdpr-decision/

Ireland’s Data Protection Commission (DPC) has issued Twitter  with a
fine of €450,000 (~$547,000) for failing to promptly declare and
properly document a data breach under Europe’s General Data Protection
Regulation (GDPR).

The decision is noteworthy as it’s the first such cross-border GDPR
decision by the Irish watchdog, which is the lead EU privacy
supervisor for a number of tech giants — having a backlog of some 20+
ongoing cases at this point, including active probes of Facebook,
WhatsApp, Google, Apple and LinkedIn, to name a few.

“The DPC’s investigation commenced in January, 2019 following receipt
of a breach notification from Twitter and the DPC has found that
Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a
failure to notify the breach on time to the DPC and a failure to
adequately document the breach. The DPC has imposed an administrative
fine of €450,000 on Twitter as an effective, proportionate and
dissuasive measure,” the regulator writes in a press release.

The GDPR requires most breaches of personal data to be notified to the
relevant supervisory authority within 72 hours of the controller
becoming aware of the breach.

The regulation also requires they document what data was involved and
how they’ve responded to the security incident — in order that the
relevant data supervisor can check against compliance.

In this case Twitter was found to have failed on both counts.

We’ve reached out to the social media company for comment, including
asking whether it plans to accept the decision and pay up — or if it’s
considering its legal options.

Update: Twitter has now sent this statement, attributed to Damien
Kieran, its chief privacy officer and global data protection officer:

Twitter worked closely with the Irish Data Protection Commission
(IDPC) to support their investigation. We have a shared commitment to
online security and privacy, and we respect the IDPC’s decision, which
relates to a failure in our incident response process. An
unanticipated consequence of staffing between Christmas Day 2018 and
New Years’ Day resulted in Twitter notifying the IDPC outside of the
72 hour statutory notice period. We have made changes so that all
incidents following this have been reported to the DPC in a timely
fashion.

We take responsibility for this mistake and remain fully committed to
protecting the privacy and data of our customers, including through
our work to quickly and transparently inform the public of issues that
occur. We appreciate the clarity this decision brings for companies
and consumers around the GDPR’s breach notification requirements. Our
approach to these incidents will remain one of transparency and
openness.

The company also told us that since this specific incident, where
inadequate staffing over the 2018 holiday period led to a delay in
reporting the breach, it has made all relevant incident reports to the
DPC within the required 72 hour period.

The DPC’s decision relates to a breach that Twitter publicly disclosed
in January 2019 — when it said a bug in its ‘Protect your tweets’
feature could have meant some Android users who’d applied the setting
to make their tweets non-public may have had their data exposed to the
public Internet since as far back as 2014. (Though GPDR would only
apply to data the bug exposed since May 2018.)

Since fessing up to the ‘Protect your tweets’ bug, Twitter has had
plenty more egg on its face where security is concerned — including
suffering a high profile account hijacking episode earlier this year,
after crypto-scam-spreading hackers gained network access credentials
using a social engineering technique.

Ireland’s DPC, meanwhile, continues to face criticism for the length
of time it’s taking to reach decisions on major cross-border GDPR
cases where impacts on individual rights can scale to hundreds of
millions of European Internet users.

Last year commissioner Helen Dixon said its first major GDPR decisions
would come “early” in 2020.

In the event the first cross-border decision has crossed the line days
before the end of the year — underlining the challenges for the bloc
in effectively enforcing its digital rulebook against tech giants.
(GDPR technically begun being applied in May 2018, although platform
giants have faced precious little enforcement to date.)

In this specific case, some half a year extra was added to the
decision timeline after a draft outcome Ireland submitted to other EU
DPAs for review, back in May, was not accepted by all of them —
triggering a majority vote mechanism in the GDPR for settling
disagreement between the bloc’s data supervisors.

The European Data Protection Board (EDPB) has published this Article
65 decision and the full final decision on its website here.

The (now) final outcome on the Twitter case comes at a key time — with
EU lawmakers due to set out their next major pieces of digital policy
later today, as part of an ambitious push to accelerate regional
digitization by rolling out a reassuring promise of European
guardrails wrapping around all this tech.

Yet with GDPR enforcement proving such a tedious, friction-filled
process that threatens to take the shine off the nascent Digital
Services Act and Digital Markets Act many months (or even years)
before they can become EU law — raising questions about how the whole
strategy can be expected to function in the absence of effective (i.e.
fair but fast) enforcement.

The wider risk here is European citizens losing faith in the
rights-based framework they’re told they enjoy, under EU law and the
bloc’s patchwork of regulatory frameworks, if the animal turns out to
be such a plodding house-cat when people do try to obtain relief.

So the Commission’s strategy of claiming expanded digital rules will
act as a public trust booster risks falling into a trough of
disillusionment at the legislative proposal stage.

Simple put: You can’t allow your regulators to move so slowly and
expect your rulebook to touch tech giants whose playbook is to move
fast in order to disrupt the rule of law in their own business’
interests.

The DPC’s decision in the Twitter case is thus a measure of how
sizeable a gap sits between the rhetoric EU policymakers ply around
the bloc’s ‘powerful’ digital rules — and the messier and more
faltering reality: Nearly two years since Twitter disclosed the breach
and waiting for a hammer to drop in what should be a relatively
straightforward case.

A data breach is not an investigation into the lawfulness of
Facebook’s business model vs GDPR, after all, nor does it delve into
the intricacies of Google’s adtech — both of which are still open case
files on the DPC’s desk.

The penalty itself is also a fraction (a little over 0.1%) of
Twitter’s full-year 2019 revenue; a far cry from the up to 4% of
global annual turnover maximum allowed for under the GDPR (or the up
to 2% max for the specific infringements involved in the breach case).

The size of the fine calculated by Ireland was one of the objections
raised by other EU DPAs during the dispute of the draft decision — the
DPC initially proposed an even smaller fine (in the range of 0.005%
and 0.01% of Twitter’s annual turnover; or between €135k and €275k).

The Article 65 intervention forced Ireland to increase the size of the
penalty (though not by much), with the EDPB issuing a binding
requirement that Ireland reassess the calculation “so as to ensure it
is appropriate to the facts of the case”. (It did not specify how
large an increase would be required.)

We’ve reached out to the DPC for comment.

EU DPAs also disagreed on the controller/processor status of Twitter’s
Irish business vs its US entity — with Ireland accepting Twitter
Ireland as the data controller and Twitter Inc as the processor, a
designation that seems intended to reduce its liability.

So this first cross-border GDPR decision looks more millstone than
milestone for the Commission, at the fag end of 2020.

There’s not a lot for commissioners to celebrate here, even though
they suggested in the summer that the best answer to GDPR enforcement
concerns would be for Ireland to get a decision out. The problem now
is the black marks against the bloc’s record on digital enforcement
look stubbornly set in — just as the Commission is laying out a plan
to go all in on platform regulation.

The questions over enforcement are going to keep coming.

Update: A spokeswoman for the DPC pointed to the seven pages of the
decision (pages 175 to 182) — where it details its rational for
calculating the level of the fine — for what it considers “moderately
serious” infringements of the GDPR.

“I am satisfied that a fine in this amount will be effective,
proportionate and dissuasive, taking into account all of the
circumstances of this case,” the DPC writes, adding: “In addition, in
circumstances where the fine which I have now decided to impose
represents an increase of approximately 67% on the upper level of the
range of the fine previously proposed in the Draft Decision, I
consider that the fine imposed accords with the binding direction of
the EDPB.”

On the controller/processor point, the spokeswoman said:

The DPC is satisfied that Twitter International Company was the
controller, and Twitter Inc. was the processor, in relation to the
processing of personal data which was the subject matter of the breach
in this case. The DPC’s conclusion in this respect was based on
confirmation provided by Twitter International Company, both in its
Privacy Policy and directly to the DPC during the course of the
Inquiry and in its notification of the breach, that it was the
provider of the Twitter services in the EU. In addition, the DPC was
satisfied, based on its own analysis of the facts presented during the
Inquiry, and in particular, the interactions that took place between
Twitter International Company and Twitter Inc. in relation to the
processing that was the subject matter of the breach, that Twitter
International Company exercised authority and bore responsibilities as
the controller, and that Twitter Inc. acted as the processor, in this
case.