DPC - In the matter of Twitter International Company (IN-19-1-1): Difference between revisions

From GDPRhub
No edit summary
Line 56: Line 56:
}}
}}


Having received submissions by Twitter, the Irish Data Protection Commissioner (DPC) proceeded to set out his provisional views as to whether, in notifying the Breach to the Commission, Twitter had complied with its obligations under Article 33(1) but as well with Article 33(5).  
Having received submissions by Twitter, the Irish Data Protection Commissioner (DPC) proceeded to set out his provisional views as to whether, in notifying the Breach to the Commission, Twitter had not complied with its obligations under Article 33(1) as well with Article 33(5) GDPR.  


Ιn relation to Article 33(1), the DPC view was that, on the basis of the information and documentation provided by Twiter, it was not possible to ascertain whether TIC had complied with its obligations under Article 33(1) to notify the Breach without undue delay.  
Ιn relation to Article 33(1), the DPC view was that, on the basis of the information and documentation provided by Twitter, it was not possible to ascertain whether TIC had complied with its obligations under Article 33(1) to notify the Breach without undue delay.  


Same with Article 33(5);  Data Commisioner view was that, on the basis of the information and documentation supplied by the Company, Twiter had failed to comply with its obligation, under Article 33(5), to document the breach of data protection.
Same with Article 33(5);  Data Commissioner view was that, on the basis of the information and documentation supplied by the Company, Twitter had failed to comply with its obligation, under Article 33(5), to document the breach of data protection.


==English Summary==
==English Summary==
Line 67: Line 67:
Through their bug bounty program, Twitter received a tip which classified as a vulnerability with the potential impact of the on world-wide user's personal data, including users around the European Union.  
Through their bug bounty program, Twitter received a tip which classified as a vulnerability with the potential impact of the on world-wide user's personal data, including users around the European Union.  


Although Twitter's employees and other contractors classified that incident with the label of low risk, the tip was registered to an internal database. Due to the staff's negligence, the data-protection officers of Twitter Inc were not assigned with the ticket. That was the official reason for the delay of notify the Commissioner of Data Protection, as the Article 33(1) of GDPR requires.  That particular software is to monitor bugs and disfunctions, when an employee gets assigned to a ticket, he or she receives an automated relevant notice. Under the Twitter's organisational structure, only a Data Protection Officer is allowed to notify the Data Protection Commissioner.  
Although Twitter's employees and other contractors classified that incident with the label of low risk, the tip was registered to an internal database. Due to the staff's negligence, the data-protection officers of Twitter Inc were not assigned with the ticket. That was the official reason for the delay of notify the Commissioner of Data Protection, as the Article 33(1) of GDPR requires.  That particular software is to monitor bugs and dysfunctions, when an employee gets assigned to a ticket, he or she receives an automated relevant notice. Under the Twitter's organisational structure, only a Data Protection Officer is allowed to notify the Data Protection Commissioner.  


===Dispute===
===Dispute===

Revision as of 17:49, 5 January 2021

DPC - In the matter of Twitter International Company (IN-19-1-1)
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 4(12) GDPR
Article 24 GDPR
Article 33(1) GDPR
Article 33(5) GDPR
Article 65 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 09.12.2020
Published: 15.12.2020
Fine: n/a
Parties: n/a
National Case Number/Name: In the matter of Twitter International Company (IN-19-1-1)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: Commissioner for Data Protection (in EN)
Initial Contributor: Panayotis Yannakas

Having received submissions by Twitter, the Irish Data Protection Commissioner (DPC) proceeded to set out his provisional views as to whether, in notifying the Breach to the Commission, Twitter had not complied with its obligations under Article 33(1) as well with Article 33(5) GDPR.

Ιn relation to Article 33(1), the DPC view was that, on the basis of the information and documentation provided by Twitter, it was not possible to ascertain whether TIC had complied with its obligations under Article 33(1) to notify the Breach without undue delay.

Same with Article 33(5); Data Commissioner view was that, on the basis of the information and documentation supplied by the Company, Twitter had failed to comply with its obligation, under Article 33(5), to document the breach of data protection.

English Summary

Facts

Through their bug bounty program, Twitter received a tip which classified as a vulnerability with the potential impact of the on world-wide user's personal data, including users around the European Union.

Although Twitter's employees and other contractors classified that incident with the label of low risk, the tip was registered to an internal database. Due to the staff's negligence, the data-protection officers of Twitter Inc were not assigned with the ticket. That was the official reason for the delay of notify the Commissioner of Data Protection, as the Article 33(1) of GDPR requires. That particular software is to monitor bugs and dysfunctions, when an employee gets assigned to a ticket, he or she receives an automated relevant notice. Under the Twitter's organisational structure, only a Data Protection Officer is allowed to notify the Data Protection Commissioner.

Dispute

A series of legal matters have raised during the reasoning and first of all how the structure of a group of companies may determinate the roles of the controller and processor, as well as the other requirements of the notice under the Article 33(1).

Twitter as entrepreneurship schemes is constituted, among other entities, by (a) the Twitter Inc, which is registered in US and by (b) the Twitter International Company (TIC) which is registered in Ireland. The latter entity has by Twitter itself characterized as the provider of the Twitter services in Europe. Under the terms of the territorial jurisdiction, the Irish Data Commissioner had been satisfied that (a) is the lead supervisory authority within the meaning of the GDPR and that (b) the TIC legal entity is the controller in respect of the cross-border processing for the personal data that was the subject of that breach.

In December of 2018, the bug report has arrived, but until the 3rd January of 2019, the Twitter's workflow of handle such as incident hasn't put in action. After Company's investigation twitter confirmed the number of affected EU and EEA users as being 88,726. Twitter also confirmed that the bug which led to the breach was introduced in November 2014 and fully remediated January 2019.

A big part of the discussions was on the trigger of the 72-hour requirement, especially in cases of a group of companies. In addition, Recital 85 clearly specified that "without undue delay and, where feasible, not later than 72 hours after having become aware of it", moreover, the same Twitter in a submission outlined: "As is common with multinational corporate groups, […] use "we" and "us" loosely or refer to the group by its name, for example, "Twitter", when referring both to individual legal entities within the group of companies and/or the group of companies as a whole, without considering the implications of the distinction". So, the main question was if the needed of awareness must be a tighter standard than that imposed by the GDPR, depending on the sequence of events? For example, under a schemes of subsidiaries companies, the awareness of the mother-company is enough to trigger the maximum limit of 72 hours?

Holding

The Recital 87 of GDPR clearly reflects that the issue of controller 'awareness', and its role in terms of defining the timeframe within which notification is required to take place, must be seen through the context of the broader obligation to ensure that it has appropriate measures in place to facilitate such awareness, including an overarching responsibility to ensure that there is compliance even with the far broader principle of the accountability. The term of accountability shall not be any surprise in a personal data framework. The corpus reasoning line can be visualized under the guideline that if controllers or processors need to ensure a level of security directly appropriate to the risk posed to the personal data being processed, then they should take into account the state of the art, the nature, scope, context and purposes of processing, especially where exist risk of varying likelihood and severity for the rights and freedoms of natural persons. Under these words, a combination of technical and organizational measures are at least unavoidable or foreseeable. The 87th recital exactly states that "should be ascertained whether all appropriate technical and organizational measures have been implemented to establish immediately whether a personal data breach has taken place and to inform promptly the supervisory authority and the data subject […]".

The bug was identified as when users is possible to unknowingly disable the "protect my account" setting when adding a new email to their account using Android Mobile App. That description for the Data Protection Commissioner wasn't inadequate, for example, it does not reference how the bug was assessed as satisfying the criteria for being a personal data breach within the meaning of that term under the GDPR.

The Article 4(12) requires to exist information relating to assessing how this event led to one of the vulnerabilities. In that case, the folder of the incident was deficient by not providing further details of the personal data affected by the bug. The Company explains that as: "A tweet is a free text field. By its very nature it may potentially contain any type of data, depending on how the user uses their account. If only one account were exposed, it might be worthwhile carrying out a specific review to determine […]. With a large number of potentially exposed accounts, one would simply assume that the exposed data could include any category of personal data".

DPC was not satisfied by the abovementioned answer of the Company and made a reference to Article 24 which state that "shall implement […] measures to […] be able to demonstrate that processing is performed in accordance with [the GDPR]". DPC summarizing the legal framework and states that the requirement of a well-documented event arises by the wording of Article 33(5) and from the obligation therein to document the 'effects' of the breach. In addition, a controller must document its assessment in order to be a able to demonstrate its compliance with the general requirement of Article 33(1).

Comment

On the ground of the possibilities of the adverse impact on citizens of union Members States and by applying Article 65(1)(a), the European Data Protection Board had to intervene. According to Article 65(6), the Decision of EDPB is binding for the Data Protection Commission. It can be found here.

It is the first cases where the European Data Protection Board adopted Article 65 of GDPR. This Twitter’s case has been a matter of real interest for anyone who processes data across various EU member states and as such, may be subject to decisions and views with input from multiple supervisory authorities across the EU. It is interesting to see Article 65 of the GDPR come into action and what does happen when the regulators disagree.

Article 65 of the GDPR is intended to be invoked where a local supervisory authority, in this case the Irish Data Protection Commission, faces criticism from or does not agree with supervisory authorities in the other EU Member States. In this case, various supervisory authorities made representations that they disagreed with certain allegations made against Twitter by the Irish DPC in respect of its GDPR compliance, following notification of a personal data breach in January 2019.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.