European Data Protection Board makes first Article 65 decision

The European Data Protection Board (EDPB) reached its first binding decision on an Article 65 dispute in November 2020. The dispute concerns the Irish Data Protection Commission’s (DPC) decision to fine Twitter over a five-year data breach, although some European supervisory authorities are likely to still be unhappy with the fine imposed.

The EDPB announced that a vote to back a draft decision submitted by the DPC had passed by a two-thirds majority. The settlement relates to Twitter’s disclosure of a bug in its tweet protection feature in early 2019.

The feature, designed to protect tweets from public viewing, was found to have a bug meaning that Android users who applied the feature may have had their data exposed to the public internet as far back as 2014. Since the breach lasted from 2014-2019, it fell under the EU’s General Data Protection Regulation (GDPR), introduced in 2018, with Article 65 of the regulation relating to cross-border matters.

With Twitter’s European headquarters situated in Dublin’s George’s Quay, the DPC became the lead supervisory authority (LSA) in the case, but its cross-border nature meant that the EDPB, which brings together the data commissioners of Europe to coordinate pan-EU regulatory activity, was brought in to adjudicate on the draft decision the DPC had taken.

The EDPB process allows these data commissioners and supervisory authorities to raise “relevant and reasoned” objections to draft decisions. In the summer of 2020, deputy commissioner of the DPC, Graham Doyle stated that, following consultations with the concerned supervisory authorities (CSAs), the DPC had submitted the matter to the EDPB under Article 65, making this case the first referral of its kind.

Despite hoping to have a decision on the case “early” in 2020, action was delayed by disagreements between the DPC and other supervisory authorities. Eventually, agreement was reached two years after the investigation into Twitter began and the EDPB announced in November 2020 that it had “adopted by two-thirds majority of its members its first dispute resolution decision on the basis of Art. 65 GDPR”.

Explaining the process through which EU-wide data regulation is now performed, the EDPB said: “In May 2020, the Irish SA [the DPC] shared its draft decision with the CSAs in accordance with Art. 60 (3) GDPR. The CSAs then had four weeks to submit their relevant and reasoned objections (RROs). Among others, the CSAs issued RROs on the infringements of the GDPR identified by the LSA, the role of Twitter International Company as the (sole) data controller, and the quantification of the proposed fine.

“As the LSA rejected the objections and/or considered they were not ‘relevant and reasoned’, it referred the matter to the EDPB in accordance with Art. 60 (4) GDPR, thereby initiating the dispute resolution procedure. Following the submission by the LSA, the completeness of the file was assessed, resulting in the formal launch of Art. 65 procedure on 8 September 2020. In compliance with Article 65 (3) GDPR and in conjunction with Article 11.4 of the EDPB Rules of Procedure, the default adoption timeline of one month was extended by a further month because of the complexity of its subject matter.”

“The DPC announced on 15 December that it had imposed an administrative fine of €450,000 on Twitter ‘as an effective, proportionate and dissuasive measure’ after its investigation had found that Twitter had ‘infringed Article 33 (1) and 33 (5) if the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach’.”

The binding decision was subsequently adopted on 9 November. In its decision, the EDPB stated that the DPC had ruled that Twitter had not met its obligations under Article 33 (1) GDPR and also found that Twitter had not acted in a timely manner with regard to the data breach. Twitter “became actually aware of the breach on 7 January 2019 but should have been aware of the breach at the latest by 3 January 2019, since on that date Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened”.

Companies are required to notify commissioners of a data breach within 72 hours of its discovery under Article 33 (1) GDPR, but in this case the “ineffectiveness of the process” in the “particular circumstances” and “a failure by [Twitter] staff to follow its incident management process” mean that Article 33 (1) GDPR had been violated nonetheless.

In its binding decision, the EDPB ruled: that the DPC did not have to amend its draft decision on the basis of the complaints raised by the other supervisory authorities; that, despite concerns raised about further infringements committed by Twitter, the DPC was not required to amend its draft decision as the “factual elements” of the DPC decision were “not sufficient to allow the EDPB to establish the existence of infringements”; that amid protestation that the fine the DPC wanted to issue was not dissuasive enough, it was “required to reassess the elements it relies upon to calculate the amount of the fixed penalty to be imposed on TIC [Twitter] and to amend its draft decision by increasing the level of fine in order to ensure it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality”.

Having been given a month to announce its decision, the DPC announced on 15 December that it had imposed an administrative fine of €450,000 on Twitter “as an effective, proportionate and dissuasive measure” after its investigation had found that Twitter had “infringed Article 33 (1) and 33 (5) if the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach”. The DPC had originally proposed a fine of between €135,000 and €275,000 in its draft decision, but the binding decision of the EDPB forced that figure upwards.

It is unlikely that this new figure will have appeased the European supervisory authorities that had raised issues with the perceived laxity of the fine. The German supervisory authority had advocated for a fine of between €7,348,035 and €22,044,195, stating: “As Twitter’s business model is based on processing data, and as Twitter generates turnover mainly through data processing, the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high in that to would render the illegal processing unprofitable.”

Twitter responded to the judgement stating its delay in reporting the breach had been “an unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day”; it is thought that DPC took this into account when deciding the fine amount.

This being the first fine issued by the DPC under GDPR rules could be a portent of things to come, with many major firms accused of data breaches having their European headquarters in Dublin and over 6,600 valid breach notifications received in 2020, this is most likely the beginning of a long battle for the DPC.