DPC - In the matter of Twitter International Company (IN-19-1-1)

From GDPRhub
DPC - In the matter of Twitter International Company (IN-19-1-1)
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 4(12) GDPR
Article 24 GDPR
Article 33(1) GDPR
Article 33(5) GDPR
Article 65 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.12.2020
Published: 15.12.2020
Fine: €450,000
Parties: n/a
National Case Number/Name: In the matter of Twitter International Company (IN-19-1-1)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Commissioner for Data Protection (in EN)
Initial Contributor: Panayotis Yannakas

Having received submissions by Twitter, the Irish Data Protection Commissioner (DPC) proceeded to set out his provisional views as to whether, in notifying the breach to the Commission, Twitter had complied with its obligations under Article 33(1) but as well with Article 33(5).

In relation to Article 33(1), the DPC view was that, on the basis of the information and documentation provided by Twitter, it was not possible to ascertain whether TIC had complied with its obligations under Article 33(1) to provide notification about the breach without undue delay.

The same was found with Article 33(5); The Data Commissioner’s view was that, on the basis of the information and documentation supplied by the Company, Twitter had failed to comply with its obligation, under Article 33(5), to document the breach of data protection.

English Summary

Facts

Through its their bug bounty program, Twitter received a tip which classified as a vulnerability the potential impact of the breach on a world-wide user's personal data, including users around the European Union.

Although Twitter's employees and other contractors classified that incident as low risk, the tip was registered to an internal database. Due to the staff's negligence, the data protection officers of Twitter were not assigned to the ticket. That was the official reason for the delay in notifying the Commissioner of Data Protection, as Article 33(1) of the GDPR requires. That particular software is for monitoring bugs and dysfunctions, and when assigning a ticket to an employee, he or she would also receive an automated relevant notice. Under Twitter's organisational structure, only a Data Protection Officer is allowed to notify the Data Protection Commissioner.

Dispute

A series of legal matters have been raised during the reasoning concerning, first of all, how the structure of a group of companies may determinate the roles of the Controller and Processor, as well as the other requirements of the notice under Article 33(1).

Twitter, as an entrepreneurship schema, is constituted, among other entities, by (a) the Twitter, Inc., which is registered in the US, and by (b) the Twitter International Company (TIC) which is registered in Ireland. The latter entity has by Twitter itself been characterised as the provider of Twitter services in Europe. Under the terms of territorial jurisdiction, the Irish Data Commissioner had been satisfied that (a) himself is the lead supervisory authority within the meaning of the GDPR and that (b) the TIC legal entity is the Data Controller in respect to the cross-border processing of the personal data that was the subject of that breach.

In December 2018, the bug report arrived, but until the January 3, 2019, Twitter's workflow of handling such an incident has not been put in action. After the Company's investigation, the number of affected EU and EEA users has been confirmed as being 88,726. Twitter also confirmed that the bug that led to the breach was introduced in November 2014 and fully remediated by January 2019.

A big part of the discussion was on the trigger of the 72-hour requirement, especially in cases of a group of companies. In addition, Recital 85 clearly specified that "without undue delay and, where feasible, not later than 72 hours after having become aware of it", moreover, the same Twitter in a submission outlined: "As is common with multinational corporate groups, […] use "we" and "us" loosely or refer to the group by its name, for example, "Twitter", when referring both to individual legal entities within the group of companies and/or the group of companies as a whole, without considering the implications of the distinction". So, the main question was if the need for awareness must be a tighter standard than that imposed by the GDPR, depending on the sequence of events. For example, under a schema of subsidiary companies, is the awareness of the mother-company enough to trigger the maximum limit of 72 hours?

Holding

The Recital 87 of the GDPR clearly reflects that the issue of Controller "awareness" and its role in terms of defining the timeframe within which notification is required to take place, must be seen through the context of the broader obligation to ensure that it has appropriate measures in place to facilitate such awareness, including an overarching responsibility to ensure that there is compliance even within the far broader principle of accountability. The term of accountability shall not be any surprise in a personal data framework. The corpus reasoning line can be visualised under the guideline that if controllers or processors need to ensure a level of security directly appropriate to the risk posed to the personal data being processed, then they should take into account the state of the art, the nature, scope, context and purposes of processing, especially where risks exist risk of varying likelihood and severity of the rights and freedoms of natural persons. Under guidelines, a combination of technical and organisational measures is at least unavoidable or foreseeable. The 87th recital exactly states that it "should be ascertained whether all appropriate technical and organisational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject […]". The bug was identified as occurring when users unknowingly disabled the protected account's setting when adding a new email to their account using the Android Mobile App.That description for the Data Protection Commissioner was not inadequate; for example, it does not reference how the bug was assessed as satisfying the criteria for being a personal data breach within the meaning of that term under the GDPR.

Article 4(12) requires existing information relating to assessing how this event led to one of the vulnerabilities. In that case, the folder of the incident was deficient by not providing further details of the personal data affected by the bug. The Company explains that as: "A tweet is a free text field. By its very nature it may potentially contain any type of data, depending on how the user uses their account. If only one account were exposed, it might be worthwhile carrying out a specific review to determine […]. With a large number of potentially exposed accounts, one would simply assume that the exposed data could include any category of personal data".

DPC was not satisfied by the abovementioned answer of the Company and made a reference to Article 24 which states that is "shall implement […] measures to […] be able to demonstrate that processing is performed in accordance with [the GDPR]". DPC summarises the legal framework and states that the requirement of a well-documented event arises by the wording of Article 33(5) and from the obligation therein to document the "effects" of the breach. In addition, a Data Controller must document its assessment in order to be able to demonstrate its compliance with the general requirement of Article 33(1).

On the 18.10.2021, the DPC announced a €450,000 fine under Section 143 of the Data Protection Act 2018 was confirmed by the Dublin Circuit Court.

Comment

On the grounds of the possibilities of adverse impacts on citizens of EU member states and by applying Article 65(1)(a), the European Data Protection Board had to become involved. According to Article 65(6), the Decision of the EDPB is binding for the Data Protection Commission. It can be found here.

It is the first case, in which the European Data Protection Board adopted Article 65 of the GDPR. Twitter's case has been a matter of real interest for anyone who processes data across various EU member states and as such, may be subject to decisions and views with input from multiple supervisory authorities across the EU. It is interesting to see Article 65 of the GDPR come into action and what does happen when the regulators disagree.

Article 65 of the GDPR is intended to be invoked when a local supervisory authority, in this case the Irish Data Protection Commission, faces criticism from or does not agree with supervisory authorities in the other EU member states. In this case, various supervisory authorities made representations that they disagreed with certain allegations made against Twitter by the Irish DPC in respect to its GDPR compliance, following notification of a personal data breach in January 2019.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.