Twitter's Irish GDPR decision faces trial by fire as EU enforcers get their say
22 May 2020 12:00 am by Vesela Gladicheva
As the Irish privacy watchdog sends its Twitter probe off to EU counterparts for review today, it will doubtless hope for quick, constructive feedback that lets it wrap up its first big probe into a US tech giant smoothly. It should prepare to be disappointed.
Privacy regulators elsewhere in the EU will almost certainly see this as a golden chance to make their voices heard and influence a high-profile case affecting citizens in their territories.
Such EU-wide consultation is a keystone of the General Data Protection Regulation's "one-stop shop" mechanism for probes into privacy violations that involve more than one member country.
But the process may well stretch to the autumn as the Irish Data Protection Commission sifts the feedback and finalizes its decision. Then Twitter would be expected to challenge the final decision and fine before Irish judges. The upshot is a final outcome far from certain and unknowably far into the future.
— Milestones —
Today's announcement by the Irish DPC, that it was forwarding its draft decision on a serious data breach at US social-media platform Twitter to its EU peers, comes just as the cake candles are lit for the GDPR's second birthday on May 25.
But it marks an important milestone for the Dublin-based watchdog itself, which has had harsh criticism from counterparts in Germany and other countries as well as from privacy advocates for taking too long to wrap up investigations into US tech giants.
The Twitter case dates back to early last year, when the company alerted the Irish regulator to a bug in its Android app. The flaw, which allegedly goes back to 2014, meant that users who changed the e-mail address associated with their account had all of their protected tweets made public.
At issue is whether Twitter complied with its GDPR obligations to file the breach notification within 72 hours after becoming aware of it and to document it properly. A Twitter spokeswoman declined to comment on the probe today.
The proposed fine in today's decision — which remains confidential — isn't likely to be eye-watering, certainly not as high as fines expected in other ongoing cases involving Twitter or probes into some of the other US tech giants that have their European operations based in Ireland.
That's because under the GDPR, infringements of the obligation to notify regulators of a personal data breach under Article 33 attracts a lower threshold of sanctions compared to the maximum penalties of up to 4 percent of a company’s annual global turnover. In Twitter's case, the fine won't be higher than 2 percent of its revenues.
— EU scrutiny —
Many of the other EU regulators about to dissect the decision can be expected to push the Irish DPC for changes after voicing what the GDPR insists must be "relevant and reasoned objection" to its draft decision and approach to the probe.
Some of the more active national watchdogs — for example, in Germany, Italy, Spain and Sweden — won't miss the chance to make a mark, not least because the GDPR took away their power to investigate many of the multinationals that operate across the bloc.
Because that's exactly what happened with the introduction of the one-stop shop procedure in the GDPR: The privacy regulator in the EU country where a company or its European operations are based takes the lead on bloc-wide investigations.
In Ireland's case, that's true for many of the biggest tech giants: besides Twitter, Facebook and its WhatsApp and Instagram units there's Airbnb, Apple, Google, Microsoft and Quantcast. Most are subject to ongoing probes.
EU watchdogs will have a month from today to submit their views to the Irish DPC on the Twitter probe, and if they deem the case complex, they can have a further month.
Most likely, there will be more than a trickle, and possibly a deluge, of interest and diverging opinion from peers. On top of that, they won't rush to file quick comments, given that they will be dealing with an unprecedentedly large consultation process in a high-profile case with much at stake. Other time constraints, such as dealing with local issues around the Covid-19 pandemic and data processing, might also come into play.
— One-stop shop —
The case will certainly test the one-stop shop. Even though the procedure isn't untested — it has led to 103 final decisions — none of these have involved more than a handful of national regulators each. The Twitter case will involve every one.
It all means that the Irish DPC faces a careful balancing act between satisfying its counterparts and ensuring that Twitter's penalty remains proportionate.
In practical terms that will see it reluctant to disagree with other regulators' views outright and risk pushing the case to a formal majority vote under the provisions of the GDPR's dispute-resolution mechanism for cross-border cases, which is managed by the European Data Protection Board, which groups EU privacy enforcers.
At the same time, the Irish watchdog will fight to avoid taking any irrational positions that could prompt a court appeal by Twitter.
Once the Irish DPC has finalized its decision and fine, Twitter will have 28 days to file an appeal to the Irish High Court. If it doesn't, the regulator can file papers to the Irish Circuit Court to confirm it.
But in the more likely event that Twitter does appeal, a challenge underpinned by any irregularities in the one-stop shop phase could see the fine slashed or even overturned if judges find problems with the way the regulator conducted its probe. That's naturally the last thing the Irish DPC wants.
— Lots of eyes —
The process and outcome matters far beyond Twitter. The Irish enforcer's approach has been closely watched not only by multinationals that already have their EU base in Ireland — particularly those already embroiled in an Irish probe — but also those considering a base there to benefit from the one-stop shop. Just think of UK companies looking for an EU base after the Brexit transition period ends.
All are keen to learn more about the Irish DPC's approach to investigations, how tough it can get, and, ultimately, whether Ireland is the place to establish a headquarters that offers sufficient regulatory certainty.
02 Jul 2020 5:00 pm by Neil RolandThe US Federal Reserve Bank of New York’s biggest financial stability worries are possible cyberattacks on the banking system.
26 Jun 2020 5:00 pm by Dave PereraA privacy backlash has led South Carolina to bar its health department from using smartphone contact-tracing apps.
25 Jun 2020 8:00 am by Amy MillerThe first stand-alone privacy enforcement agency in the US could be established in California if voters approve in November.