December 16, 2020
Ireland’s Data Protection Commission fined Twitter €450,000 (about $546,000) for failing to notify the regulator or document a data breach within 72 hours. The breach, revealed in January 2019, exposed some Android users’ private tweets for over four years. Twitter chief privacy officer Damien Kieran said the company takes responsibility … and remains “fully committed to protecting the privacy and data of [its] customers.” This is the first time a U.S. tech company has been served with a GDPR fine in a cross-border case.
The Wall Street Journal reports that, “the case is a bellwether because it is the first in a long pipeline of privacy cases involving big U.S. tech companies in Ireland,” including Google, Apple and Facebook. It adds that, “Ireland’s data commission leads enforcement of the EU’s General Data Protection Regulation, or GDPR, for those and other U.S. companies that have their regional headquarters in the country.”
The Irish commission took almost two years to come to a decision, “including nearly five months for the commission and its counterparts in other EU countries to squabble over jurisdiction, investigatory scope and the amount of the fine.”
Some regulators are frustrated, with BEUC senior legal officer David Martin, for example, saying, “the credibility of the whole system is at stake if enforcement doesn’t improve.”
The European Commission principal adviser on justice policy Paul Nemitz stated that, “some other regulators are starting to push their own privacy cases using laws other than the GDPR.” For example, France’s privacy regulator, the CNIL, levied a fine against Google and Amazon for a “combined $163 million for violations of a separate rule called the ePrivacy directive,” sidestepping the GDPR.
The Irish Data Protection Commission head Helen Dixon admitted that, “the process didn’t work particularly well … I think it’s too long,” but noted it was “the first time EU data-protection authorities have stepped through the process, so maybe it can only get better from here.”
Among the EU partners, the amount of the fine was “one major source of contention.” Although the GDPR allows a fine up to 2 percent of a company’s global annual revenue, which would have been about $60 million in Twitter’s case, the Irish commission “recommended a fine of only 0.25 percent to 0.5 percent of that maximum because it found the violation was negligent, not intentional or systematic.” Germany, however, wanted a fine ranging between €7 million and €22 million.
The Verge reports that, “this cross-border process is part of the reason why it’s taken so long to issue this fine.” After Ireland’s Data Protection Commission posted its draft decision in May, “several other regulators raised objections to several points in its decision, which eventually led to a dispute-resolution process,” which was largely focused on the amount of the fine.