We first published this note on 15 December 2020 and we have updated it to reflect Twitter’s reaction
On 15 December 2020 the Irish Data Protection Commission (DPC) announced that it had concluded its investigation under GDPR into Twitter. The investigation started in January 2019 following a data breach notification from Twitter. The DPC has fined Twitter €450,000.
The case is interesting in a number of respects and it has a special warning about resourcing over the Christmas and New Year period.
Some technical terms are used in this alert which are explained at www.bit.ly/gdprwords
What was the case about?
The case is significant in that the DPC fined Twitter for non-compliance with the data breach reporting obligations of GDPR Art.33(1) by failing to report the breach within 72 hours of becoming aware of the breach and it said that Twitter also failed to meet its obligations under GDPR Art.33(5) by not documenting the breach, its effects and the remedial actions taken. The obligations in GDPR Art.33(5) are commonly called the obligation to keep a data breach log. A case in Sweden earlier this year (https://www.corderycompliance.com/sdpr-fine-for-data-breach/) also looked at the data breach log obligations in GDPR which apply to both data controllers and data processors.
The case concerned an issue in Twitter running on an Android device which meant that protected tweets could become unprotected. The bug was discovered on 26 December 2018 by an external contractor managing the company’s bug bounty program. The bug was traced back to a code change made on 4 November 2014. The contractor shared the results with Twitter on 29 December 2018 by raising a Jira ticket. Twitter’s information security team did not review the Jira ticket until 2 January 2019. It decided that the issue was not a security issue but it could be a data protection issue and notified Twitter’s legal team the same day.
On 3 January 2019 Twitter’s legal team decided that the issue should be treated as an incident and on 4 January 2019 Twitter’s incident response process was triggered. Due to a mistake in their internal processes, Twitter’s global DPO was not added to the incident response process and the DPO did not find out until 7 January 2019. The breach was notified to the DPC on 8 January 2019.
EU Dispute Resolution
The case was unusual for a number of reasons including the fact that it was the first “big tech” case handled by Ireland which is the lead regulator under GDPR for many big tech operators. The case also went through the GDPR Art.60 dispute resolution process as other DPAs did not agree with the DPC’s handling of the case. The European Data Protection Board (EDPB) has also now published a 47 page decision dealing with the dispute resolution.
After a draft decision was circulated by the DPC objections were expressed by a number of DPAs including those in:
- The Netherlands
The objections raised included on the DPC’s assessment of who was the data controller and who was the data processor and whether the DPC was the lead DPA for the breach. There was also concerns about the infringements of GDPR found by the DPC, whether there were potentially other GDPR infringements, and on the level of fine.
On the level of fines alone, the proposed fines varied widely with proposed fines ranging from €150k to almost €35m. The DPC’s proposed fine was raised after representations made by other DPAs although not substantially. The DPC said that a lower fine was justified as Twitter’s breaches had been negligent rather than intentional.
What did Twitter say?
Twitter said that after the fine that it took full responsibility for the mistakes it made and it blamed the delay in “an unanticipated consequence of staffing between Christmas Day 2018 and New Year’s Day”. They said that they made changes to their own processes to make sure that they are able to report data breaches “in a timely fashion”.
At a hearing at the Dublin Circuit Court in Ireland on 19 October 2021, the fine was confirmed after Twitter said it had decided not to appeal.
There are a number of lessons to be learned including:
- Treat security as a top priority – organisations need to have proper technical and organisational measures (TOMs) in place to stop breaches happening. This will include thorough reviews of any code upgrades. Some app developers move more quickly than conventional software development but this will be no excuse – apps like any other software processing personal data need to be secure.
- Do ongoing monitoring and testing to detect vulnerabilities and data breaches – We are handling a large number of attacks at the moment including some very severe and sophisticated ransomware attacks (see bit.ly/cvransom). Make sure your information security team have the resources they need and make sure you have cover in place over Christmas and New Year. Unfortunately attackers work 24x7x365 and your response teams need to do that too. There’s also no exemption to the 72 hour reporting deadline under GDPR for the holiday period. Criminal organisations are putting considerable resources and skill into these attacks. You’ll need to make sure that your defences are fit for purpose, and
- Breaches are inevitable – even the best run organisations will have a data breach. When it happens you need to make sure that you can respond quickly given the tight reporting deadlines in GDPR. Having a proper process (like Cordery’s 4-step plan here https://www.corderycompliance.com/dealing-with-a-breach/) is essential. You need to test that plan too – for example by holding regular data breach simulation exercises to check your regulatory responses (see here https://www.corderycompliance.com/cordery-data-breach-academy-2-2/). Our experience is that organisations who rehearse a breach respond better when they have a breach.
There is more information about this and other data protection topics in Cordery’s GDPR Navigator subscription service. GDPR Navigator includes short films, straightforward guidance, checklists and conference calls each month to help keep up to date and help you comply. More details are at www.bit.ly/gdprnav.
You can find more details of the case and the DPC’s announcement at www.bit.ly/twitfines
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|