Security news that informs and inspires

EU Delays GDPR Decision in Twitter Case


European data privacy regulators can't agree on the penalties for Twitter in the GDPR case.

Irish privacy regulators are still trying to finalize the decision over how Twitter handled a security incident in 2018. The delay is because the final details still have to be hammered out with privacy regulators from other European Union countries.

The Irish Data Privacy Commission has been investigating the security incident where a bug in the Twitter Android app made some users’ protected tweets public. The case against Twitter alleged the company did not report the breach within 72 hours, which violated EU’s General Data Protection Regulation. The investigation was completed earlier in the year, and the Irish regulators submitted a draft decision to other EU data protection authorities in May.

Under the EU’s General Data Protection Regulation, a regulator from one country takes the lead role in privacy cases that span across borders. However, before issuing a final decision, the main regulator has to share its draft decision with other EU regulators that could claim jurisdiction and take their feedback into consideration.

Twitter, like many other tech companies, have their European headquarters in Dublin, which is why the Irish Data Privacy Commission is its lead privacy regulator in the EU. Since the security incident involved other European citizens, this was a cross-border case.

“A number of objections were raised,” the Irish regulator said in a brief statement. “However, following consultation a number of objections were maintained and the (Irish Data Privacy Commission) has now referred the matter to the European Data Protection Board.”

The European Data Protection Board is an independent body representing the bloc’s privacy regulators. The EDPB has one month to broker a two-thirds majority among member states, and one month after that to reach an absolute majority. If all that fails, the chair of the board will cast the deciding vote. It may be November before Twitter learns its fate.

GDPR gives regulators a lot of authority on the penalties and enforcement actions, as well as increasing the total monetary fines. Companies that don’t disclose breaches and incidents in a timely manner can be fined up to 10 million Euros ($12 million) or 2 percent of a company’s annual revenue, whichever is higher.

Twitter reported revenues of $3.46 billion in 2019, which means a potential fine could be as high as $69 million.

The ruling will be the first involving a U.S. technology company since GDPR took effect in 2018. Ireland is currently working through complaints against Apple, Facebook, Google, and LinkedIn. WhatsApp sharing user data with Facebook is one of the cases the Irish regulators have been investigating.

The statement did not specify what kind of objections the regulators in other countries raised. The question at the heart of the case was not about specific business practices such as data mining and storage, but specifically over breach reporting.

The disagreement and wrangling over Twitter’s case may be a hint of what will happen with two dozen or so other investigations the Irish watchdog is trying to wrap up involving U.S. technology companies. GDPR’s effectiveness can be weakened if all cases take this long to work through the system.

There has been some discussion about whether the GDPR needs to be fixed, or modified, and the slow speed of enforcement is one of the biggest questions. While it is important for privacy regulators to be very deliberate in its rulings, to avoid having cases be tied up in appeals for years, it is also problematic if companies don't actually see any enforcement actions under the law. There are also concerns that having a single regulator take the lead on cross-border cases may not be the ideal scenario, especially in a situation where a single country is carrying a large number of cases.