EDPB - Binding Decision 1/2020 - 'Twitter'
- 1/2021 | |
---|---|
Authority: | EDPB |
Jurisdiction: | European Union |
Relevant Law: | Article 4(24) GDPR Article 5(1)(f) GDPR Article 28 GDPR Article 33(1) GDPR Article 33(5) GDPR Article 60(4) GDPR Article 65(1)(a) GDPR |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | 09.11.2020 |
Published: | |
Fine: | None |
Parties: | n/a |
National Case Number/Name: | 1/2021 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | English |
Original Source: | EDPB website' (in EN) |
Initial Contributor: | n/a |
English Summary
Facts
After a data breach that occurred with Twitter, the IE SA (DPC) issued a draft decision to the other SAs. They sustained their relevant and reasoned objections under Article 60 GDPR (FR, DE, DK, IT, NL, ES, HU).
Therefore, the EDPB issued its first decision under Article 65(1)(a) GDPR and answers to all the objections of the SAs.
Dispute
- Are Twitter Inc and TIC (Twitter Ireland) controller, processor, or joint controllers ?
- Where is the main establishment of Twitter, and therefore does the DPC have jurisdiction ?
- When is a relevant and reasoned objection admissible under Article 4(24) GDPR ?
- Can we hold violations of the GDPR other than Article 33(1) and (5) ?
Holding
1. On the admissibility of an objection, the jurisdiction of the DPC, the controller-processor relationship
In essence, the objections raised addressed the fact that the Draft Decision does not contain enough evidence to legally and factually establish the roles of the entities concerned.
The EDPB considers that an objection concerning the role, or designation, of the parties can fall within the meaning of the definition of ‘relevant and reasoned’ objection under Article 4(24) GDPR, as this can affect the determination as to whether there is an infringement of this Regulation, or whether envisaged action in relation to the controller or processor complies with this Regulation.
However, the EDPB considers that an objection on the competence of the supervisory authority acting as LSA should not be raised through an objection pursuant to Article 60(4) GDPR and falls outside of the scope of Article 4(24) GDPR.
Moreover, the EDPB considers that the aforementioned objections do not meet the requirements set out in Article 4(24) GDPR.
2. On the violation of Article 33(1) obligation to notify in due time
According to the Draft Decision, therefore, TIC became actually aware of the Breach on 7 January 2019 but should have been aware of the Breach at the latest by 3 January 2019, since on that date Twitter, Inc. as processor first assessed the incident as being a potential data breach and the Twitter, Inc. legal team instructed that the incident be opened. The Draft Decision stated that where the processor does not follow the procedure or the procedure fails otherwise the controller cannot excuse its own delayed notification on the basis of the processor’s fault, as the performance by a controller of its obligation to notify cannot be contingent upon the compliance by its processor with its obligations under Article 33(2) GDPR. This led to the infringement of Article 33(1) GDPR even if less than 72 hours elapsed between the moment at which TIC became actually aware of the Breach (7 January 2019) and the notification (8 January 2019).
The FR SA raised an objection stating that the findings do not correspond to an infringement of Article 33(1) GDPR, but rather of Article 28 or Article 32 GDPR, which set out the obligations of the controller when it decides to have recourse to a processor.
The DE SA argued in its objection that the issue of the allocation of roles affects the determination of the moment of awareness of the Breach, as the knowledge of a breach must be equally attributed to both joint controllers.
The IE SA considers that it requests consideration of alternative provisions of the GDPR and that the request by CSAs to consider alternate provisions of the GDPR, would essentially seek to re-scope the Inquiry conducted: the IE SA concluded that such an objection does not fall within the definition of “relevant and reasoned objection” for the purposes of Article 4(24) GDPR.
Again, the EDPB considered that the raised objections do not clearly demonstrate the significance of the risks posed by the Draft Decision as regards the fundamental rights and freedoms of data subjects.
3. On the violation of Article 33(5) GDPR
The Draft Decision of the DPC found that TIC did not comply with its obligations under Article 33(5) GDPR to document the Breach, since the documentation furnished by TIC in the course of the inquiry was not considered to contain sufficient information and was not considered to contain a record or document of, specifically, a “personal data breach”, as they amounted to “documentation of a more generalised nature.
According to the IT SA, the finding in the Draft Decision that TIC provided full cooperation during the investigative phase should be reviewed as such full cooperation can only be considered to exist if adequate, exhaustive documentation is made available by the controller in a straightforward manner.
The EDPB does not take a position on the merit of the substantial issues raised by this objection " because it fails to clearly demonstrate the significance of the risks posed by the Draft Decision as it does not show the implications the alleged mistake in the Draft Decision would have for the protected values".
4. On potential alternative or further violations o the GDPR identified by the CSAs (concerned authorities)
In order to determine whether TIC complies with its obligations under Article 33(1) GDPR, the IE SA considered them in the context of a controller's broader obligations, including those of accountability (Article 5(2) GDPR), of engagement of a processor (Article 28 GDPR), and in respect of the security of processing of personal data (Article 32 GDPR). However, the DPC did not consider whether or not TIC complied with any or each of these obligations other than for the purpose of assessing TIC’s compliance with its obligations under Article 33(1) and Article 33(5) GDPR.
The DE, FR, HU, and IT SAs raised objections that TIC infringed other provisions of the GDPR in addition to, or instead of, Article 33(1) and Article 33(5) GDPR.
The LSA (DPC) recalls that it informed TIC at the beginning of the inquiry that its purpose was to verify TIC’s compliance with Article 33(1) and Article 33(5) GDPR in respect of its notification of a Breach to the LSA 8 January 2019. Therefore, the LSA maintains that if it were to follow the CSAs’ objections and include other infringements in its final decision “on the basis of only the material contained in the Draft Decision”, this would result in jeopardising “the entirety of the Inquiry and Article 60 process by exposing it to the risk of claims of procedural unfairness.
The other provisions being addressed by the objections of the SAs are the following:
- Infringement of Article 5(1)(f) GDPR on the principle of integrity and confidentiality
- The EDPB considers the objection raised by the DE SA in relation to the potential additional infringement of Article 5(1)(f) GDPR to be relevant and reasoned for the purposes of Article 4(24) GDPR, but considers the HU SA’s objection in relation to the same topic does not meet the requirements of Article 4(24)
- Infringement of Article 5(2) GDPR on the principle of accountability
- The EDPB considered that the IT SA’s objection on Article 5(2) GDPR meets the requirements set out in Article 4(24) GDPR. The EDPB will therefore analyse the merits of the substantial issues raised by this objection
- Infringement of Article 24 GDPR on the responsibility of the controller
- The EDPB accepts that an objection may challenge the conclusion of the LSA, by considering that the LSA’s findings actually lead to the conclusion that another provision of the GDPR has been infringed in addition to or instead of the provision identified by the LSA. The EDPB considers that this is precisely the essence of the DE SA’s objection, hence not preventing it from being relevant and reasoned. Therefore, the EDPB is assessing the merit of the substantial issues raised by this objection
- Infringement of Article 28 GDPR on the relationship with processors.
- According to the EDPB, the objections of FR and IT do not clearly demonstrate the significant risks posed by the Draft Decision for the fundamental rights and freedoms of data subjects with specific regard to the failure to conclude on the infringement of this specific provision
- Infringement of Article 32 GDPR on the security of the processing
- According to the EDPB, the DE SA’s objection clearly demonstrates the significance of the risks posed by the Draft Decision for the rights and freedoms of data subjects, in particular by highlighting that the facts amount to a “significant” and “substantial” breach of the confidentiality of personal data and that a large number of persons were concerned for a substantial period of time. However, the objections of the FR and HU DPA do not meet the requirement of Article 4(24) GDPR.
- Infringement of Article 33(3) GDPR on the content of the notification of a personal data breach on security of processing
- According to the EDPB, the DE SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects. As a consequence, the DE SA’s objection on Article 33(3) GDPR fails to meet the requirements set out in Article 4(24) GDPR
- Infringement of Article 34 GDPR on the communication of a personal data breach to the data subject
- The HU SA considers that, if changed, the Draft Decision would lead to the conclusion of additional infringements of GDPR. However, the EDPB concludes that the HU SA does not clearly demonstrate the significant risks posed by the Draft Decision to the fundamental rights and freedoms of data subjects
The Board analyses the objections found being relevant and reasoned - in particular the DE SA’s objections on Article 5(1)(f), Article 24 and 32 GDPR, as well the IT SA’s objection on Article 5(2) GDPR - as well as the LSA’s response to those objections and the TIC submissions. The Board considers that the available factual elements included in the Draft Decision and in the objections are not sufficient to allow the EDPB to establish the existence of further (or alternative) infringements of Article 5(1)(f), 5(2), 24 and 32 GDPR. Even in case of an own-volition inquiry, the Guidelines on reasoned and relevant objections state that LSA “should seek consensus regarding the scope of the procedure (i.e. the aspects of data processing under scrutiny) prior to initiating the procedure formally”138, including in the context of a possible new proceeding. The EDPB also recalls the existence of a full range of the cooperation tools provided for by the GDPR (including Articles 61 and 62 GDPR), bearing in mind the goal of reaching consensus within the cooperation mechanism and the need to exchange all relevant information, with a view to ensuring protection of the fundamental rights and freedoms of data subjects. The EDPB considers that in determining the scope of the inquiry, whilst it can be limited, a LSA should frame it in such a way that it permits the CSAs to effectively fulfil their role, alongside the LSA, when determining whether there has been an infringement of the GDPR.
5. On the lack of reprimand in the draft decision
The proposed corrective powers to be imposed were both a reprimand, pursuant to Article 58(2)(b) GDPR, and an administrative fine, pursuant to Article 58(2)(i) GDPR, the final Draft Decision consists of the imposition only of an administrative fine on TIC as the controller
The LSA decided, having regard to the scope of the inquiry that focussed on the controller’s obligations in relation to the Breach notification, that its inquiry “did not involve a finding that the underlying ‘processing operations’ relating to the Breach infringed [...] the GDPR” . Therefore, the LSA considered that there was no reason to review its decision to not issue a reprimand in light of the DE SA’s objection.
The EDPD considered anyway that the objection by the DE SA did not meet the requirement of Article 4(24) GDPR since it does not provide motivation on how the failure to impose a reprimand in this specific case - where a fine is also imposed - may trigger risks for data subjects’ fundamental rights and freedoms.
6. On the calculation of the fine
Considering all the factors of Article 83(2) GDPR, the IE SA proposed to impose an administrative fine within the range of 150,000-300,000 USD, i.e. between 0.005% and 0.01% of the undertaking’s annual turnover or between 0.25% and 0.5% of the maximum amount of the fine which may be applied in respect of these infringements. This equates to a fine in Euro of between 135,000 and 275,000.
- AT SA considers the range of fine proposed by the IE SA neither effective, nor dissuasive, nor proportionate
- DE SA raised an objection arguing that the fine proposed by the LSA is “too low” and “does not comply with the provisions of Article 83(1) GDPR. As Twitter’s business model is based on processing data, and as Twitter generates turnover mainly through data processing, the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that it would render the illegal data processing unprofitable. On the basis of the fine concept applicable to the DE SAs, the fine for the infringement described in the Draft Decision would range from approximately EUR 7,348,035.00 to EUR 22,044,105.00
- HU SA argued that, although “fines are justified for the committed infringements”, “the fine set out in the draft is unreasonably low, disproportionate and thus not dissuasive in view of the gravity of the committed infringement and the Controller’s worldwide market power
- IT SA asked the LSA to “review the draft decision as also related to quantification of the administrative fine, taking also account of specific aggravating elements of the case with regard to the nature of the data controller and the severity and duration of the data breach
Decision of the EDPB on the above:
- The EDPB agrees with the position of the IE SA’s assessment according to which the controller cannot be expected to have become aware at the moment its processor has realised that a security incident has occurred.
- The EDPB considers that a company for whom the processing of personal data is at the core of its business activities should have in place sufficient procedures for the documentation of personal data breaches, including remedial actions, which will enable it to also comply with the duty of notification under Article 33(1) GDPR. This element implies an additional element to take into consideration in the analysis of the gravity of the infringement.
- While the LSA in its Draft Decision made reference to the requirement that the file must be dissuasive and proportionate, the EDPB considers that the LSA did not sufficiently substantiate how the fine proposed addresses these requirements. In particular, the EDPB notes that the LSA moves from calculating the maximum amount of the fine (set at $60 million) to stating the proposed fining range (set between $150.000,- and $300.000,-), without further explanation as to which particular elements led the LSA to identify this specific range224 . Beyond the general reference to the relevant factors of Article 83 (2) GDPR, there is not a clear motivation for the choice of the proposed percentage (between 0.25% and 0.5%) of the maximum applicable fine under Article 83(4) GDPR
- In this regards, the EDPB has elaborated above the reasons to why the LSA in its Draft Decision should have given greater weight to the element relating to the nature, scope and negligent character of the infringement and therefore consider that the proposed fine range should be adjusted accordingly
- the EDPB considers that the fine proposed in the Draft Decision is too low and therefore does not fulfil its purpose as a corrective measure, in particular it does not meet the requirements of Article 83(1) GDPR of being effective, dissuasive and proportionate
- the EDPB requests the IE SA to re-assess the elements it relies upon to calculate the amount of the fixed fine225 to be imposed on TIC so as to ensure it is appropriate to the facts of the case
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
en Bulgarian (bg) Czech (cs) Danish (da) German (de) Estonian (et) Greek (el) Spanish (es) French (fr) Irish (ga) Croatian (hr) Italian (it) Latvian (lv) Lithuanian (lt) Hungarian (hu) Maltese (mt) Dutch (nl) Polish (pl) Portuguese (pt-pt) Romanian (ro) Slovak (sk) Slovenian (sl) Finnish (fi) Swedish (sv) EDPB adopted documents - 48th plenary 22 April 2021 EDPB EDPB adopted documents - 48th plenary 22 April 2021 EDPB Italian DPA: Major Critical Issues for Vaccination Pass 4 May 2021 Italy Dutch DPA fines municipality for Wi-Fi tracking 29 April 2021 Netherlands Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA 28 April 2021 Portugal Italian DPA: Major Critical Issues for Vaccination Pass 4 May 2021 Italy Dutch DPA fines municipality for Wi-Fi tracking 29 April 2021 Netherlands Census 2021: Portuguese DPA (CNPD) suspended data flows to the USA 28 April 2021 Portugal