On December 15, 2020, the Irish Data Protection Commission (“DPC”) announced its fine of €450,000 against Twitter International Company (“Twitter”), following its investigation into a breach resulting from a bug in Twitter’s design. The fine is the largest issued by the Irish DPC under the EU General Data Protection Regulation (“GDPR”) to date and is also its first against a U.S.-based organization.

The bug in question resulted in protected tweets being changed to unprotected tweets, making them widely available to the public without the user’s knowledge. This bug impacted Twitter users on Android devices who had changed the email address associated with their Twitter accounts. Twitter estimated that 88,726 Twitter users in Europe were affected between September 5, 2017 and January 11, 2019. The bug was discovered on December 26, 2018.

Investigation and GDPR Dispute Resolution Procedure

The DPC commenced its investigation into Twitter’s breach under Section 110 of the Irish Data Protection Act 2018 in January 2019, and provided its draft decision to “Concerned Supervisory Authorities” in May 2020, as required by Article 60 of the GDPR. Supervisory authorities in Austria, Italy and Germany raised objections to the size and “insufficiently dissuasive nature” of the DPC’s proposed penalty, which was within the range of €135,000-€275,000. This resulted in the DPC triggering the GDPR’s dispute resolution procedure and referring the matter to the European Data Protection Board (“EDPB”) with regard to those objections it was unable or unwilling to resolve.

This represents the first time that the dispute resolution procedure, set out under Article 65 of the GDPR, has been used. The EDPB evaluated the matter and issued its binding decision on November 9, 2020, which required that the DPC “re-assess the elements it relies upon to calculate the amount of the fixed fine to be imposed on [Twitter], and to amend its Draft Decision by increasing the level of the fine in order to ensure it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality.”

In evaluating the DPC’s initial approach, the EDPB stated that the DPC should have given greater weight while calculating its fine to the nature and scope of the processing involved in the breach, pointing in particular to the fact that Twitter users would have relied on the function of keeping tweets private to share information or views that they would not ordinarily share publicly. In adjusting the fine in its final decision, the DPC accordingly noted that it considered in particular the deliberate choice of Twitter users to restrict the audience of their tweets.

Background of the Investigation and Findings of the DPC

The alleged failures identified by the DPC were Twitter’s infringement of Articles 33(1) and (5) of the GDPR, which pertain to data breach notification and documentation. The DPC determined that Twitter had failed to notify the breach to the DPC within the 72-hour deadline and failed to adequately document the breach.

According to Twitter, the delay in notifying the breach to the DPC within the required timeframe resulted from a failure by Twitter International Company’s processor, Twitter, Inc., to notify Twitter International Company’s DPO of the potential breach when it became aware of it. However, the DPC essentially imputed the processor’s knowledge of the potential breach to Twitter International Company, stating that it is the controller’s responsibility to ensure that it has an effective process in place allowing processors to inform the controller of a personal data breach, and that where this does not occur and results in a delay in notification, the controller is considered to have constructive knowledge of the breach through its processor. This finding reiterates the importance of controllers and processors cooperating seamlessly in the context of security events giving rise to potential notification obligations.

As regards Twitter’s alleged failure to document the breach in accordance with Article 33(5) of the GDPR, the DPC stated that the company’s documentation of the breach did not contain sufficient information to allow the DPC to verify Twitter’s compliance with Article 33 of the GDPR. In particular, the DPC stated that the incident report provided by Twitter did not contain an adequate explanation of the issues that caused the delay in notification to the DPC, nor did it address how Twitter assessed the risks to affected users raised by the breach. This finding reiterates the importance of breach inventories under Article 33(5), which should be carefully considered in the wake of this decision.

In calculating the fine, the DPC considered the fact that the delay in notification of the breach was an isolated, rather than systemic, issue, but determined that the infringement of Article 33(5) of the GDPR was “ongoing,” since Twitter maintained in its submissions that its documentation of the breach was not deficient. Nonetheless, the DPC considered the infringements of both Articles 33(1) and (5) of the GDPR to be negligent rather than intentional.

With regard to mitigation, the DPC considered the steps taken by Twitter, Inc., to rectify the bug to be the sole mitigating factor, disregarding steps taken by Twitter that were required by law. The DPC stated: “An action, taken by a controller where it is mandated to do so on foot of a statutory obligation cannot be viewed as a mitigating factor.” As a statutory requirement, Twitter’s cooperation with the investigation also was not considered to be a mitigating factor. The DPC further considered the “imprecise nature” of the information originally provided to the DPC regarding the breach as a relevant factor when setting the amount of the fine.

Twitter tweeted following the DPC’s announcement that it took full responsibility for its mistake and remains committed to protecting the data of its customers, adding: “We appreciate the clarity this decision brings for companies and the public around the GDPR’s breach notification requirements. As always, our approach to these incidents will remain one of committed transparency and openness.”

Download both the DPC’s final decision and the EDPB’s decision.

See also the EDPB’s Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.