Twitter Data Case Dispute between European Union privacy regulators, causing delay in the progress of the most advanced cross-border privacy case involving a U.S. tech company under the GDPR.
The Twitter data case dispute, disclosed in a statement from Ireland’s Data Protection Commission, is one of the first major tests for enforcement of the GDPR. This has raised concern over other possible disagreements and delays in nearly two dozen other investigations into Facebook, Google, and other U.S. tech companies. This particular case concerns a security hole that Twitter claimed to have fixed in January 2019, which exposed the private tweets of some users, over a period of over four years.
This Twitter case dispute will be an early indication of how similar situations of power sharing among EU regulators.
The outcome of this Twitter case will be an early indication of how the EU’s power-sharing system among regulators will work in practice. Because Twitter has regional headquarters in Ireland, the investigation is led by Ireland’s data commission. However, cases can be objected to, by regulators in any of the 26 other EU countries involved. Under the GDPR, in cases that involve multiple countries, the lead regulator (in this case Ireland’s data commission), sends its draft decision to counterparts. They then have four weeks to submit objections, then there is additional time left to approve revisions based on those objections. Any disagreements the regulators can’t resolve can be referred to the European Data Protection Board, which decides by way of a vote. Once the board approves a decision, the lead regulator will inform the company of that decision within a month. The voting process can take from a month to two, or two and a half months, depending on whether extensions are granted.
After consultations, with other EU authorities, there remained a number of objections, triggering the first ever dispute resolution.
The Irish privacy regulator mentioned that it had triggered a dispute-resolution mechanism among the bloc’s privacy regulators due to a failure to resolve disagreements over its draft decision in the Twitter case. This is the first time that process has been triggered. Ireland’s data commission forwarded a draft decision to its counterparts for comments in May.
The commission engaged in consultations with other regulators to resolve their complaints. Graham Doyle, a deputy commissioner said that despite the consultation, a number of objections remained and the matter has now been referred to the European Data Protection Board, by the Data Protection Commission.
Under the GDPR, companies can be charged a sliding scale up to 2% of their annual revenue, considering various factors for this type of violation.
Ireland’s data commission said that the focus of this case is on whether Twitter met its obligation for a timely notification of the data breach. Under the GDPR, regulators can fine companies up to 2% of their world-wide annual revenue for failing to notify them of a data breach within 72 hours. This could amount to up to $69 million, based on Twitter’s 2019 revenue. However, this legislation also directs regulators to take into account the gravity and duration of the violation, the type of personal information involved, and also other factors, like whether the violation was intentional or not. This opens up lots of room for disagreement between regulators on how much should be charged for violations.