Clash over draft Twitter GDPR decision exposes differences among EU authorities

The Irish Data Protection Commission (DPC) was meant to be the ultimate arbiter of whether social media firm Twitter violated Europe’s strict privacy rules for potentially failing to notify the regulator on time that there was a data breach linked to its Android app in late 2018.

However, on Aug. 20 the Irish DPC announced it had triggered a mechanism under Article 65 of the GDPR that ultimately kicks the decision-making process up to Europe’s supreme data regulator, the European Data Protection Board (EDPB), to sort out.

At the earliest, the EDPB decision will be ready by Sept. 20. At the latest, it will not be known until early November—nearly six months after the Irish regulator sent its draft decision out for consultation.

“This decision will set a precedent for all other cross-border GDPR complaints into Big Tech, of which Ireland is in charge of 23, so it is not unexpected that Article 65 has been triggered and that the EDPB will get involved.”

Graham Doyle, Deputy Commissioner, Irish DPC

The maximum fine allowed under the GDPR for a company’s failure to notify a data breach is €10 million (U.S. $11.8 million), or 2 percent of the total worldwide annual turnover (whichever is higher). In 2019, Twitter’s revenue reached $3.46 billion, making a potential fine worth up to $69 million.

Lawyers expect Twitter to appeal any kind of adverse decision, especially a fine.

The Irish DPC submitted its draft decision on May 22 regarding the extent to which—if at all—Twitter failed to comply with GDPR requirements when it notified the regulator of the Android breach. The draft decision was not available to the public.

The EU’s other 26 data protection authorities (the United Kingdom is now excluded) then had until June 22 to consider the draft decision and provide feedback. They duly did so—and apparently in spades. For the following two months the Irish regulator tried to resolve the differences of opinion to win over two-thirds of the other authorities (18 in total) to back its decision. It failed to do so.

A statement from the Irish DPC released on Aug. 20 said “a number of objections were raised by concerned EU supervisory authorities and the DPC engaged in a consultation process with them. However, following consultation a number of objections were maintained and the DPC has now referred the matter to the EDPB under Article 65 of the GDPR”—the first time the mechanism has been used in the privacy regulation’s nearly 30-month history.

DPAs raise objections to Irish decision

It is not known how many data regulators—or which of them—chose not to back the Irish decision, but suspicion is rife that Germany, Austria, Belgium, and France are chief among them. It is also not known why they dissented, though the size of any proposed fine is widely rumored to be one of the many sticking points.

Graham Doyle, a deputy commissioner at the Irish DPC, says there were several legitimate reasons why the case has been referred to the EDPB. First, he says, different data protection authorities raised different objections, some of which were very technical, specific, and niche. Second, he says, some raised the same objections—but for different reasons—and reached divergent positions on how to resolve them, interpreting the GDPR differently.

“It is wholly understandable that, as this is the first cross-border decision into a Big Tech firm, it is going to take time to reach agreement,” Doyle said. “This decision will set a precedent for all other cross-border GDPR complaints into Big Tech, of which Ireland is in charge of 23, so it is not unexpected that Article 65 has been triggered and that the EDPB will get involved.”

Should this have been settled without dispute mechanism?

For many lawyers, data privacy experts, and some data regulators, this first cross-border decision into Twitter and compliance with the EU’s privacy rules should have been the easiest Big Tech case to investigate and turn around as it relates largely as to whether the Irish DPC was informed of a breach in a “timely manner,” meaning within 72 hours. Usually, Big Tech investigations involve an in-depth examination of the technology involved, the supporting controls, how data is shared among third parties and other platforms, and how the data-driven services actually work.

Twitter is subject to three separate investigations by the Irish DPC, two of which are ongoing.

Indeed, the other two investigations are widely regarded as more problematic as one deals with the extent data controllers can deny citizens’ rights of access requests, while the other concerns whether the company had appropriate technical controls, safeguards, and systems in place to identify whether potential breaches had taken place, as well as the requisite notification procedures to alert the regulator within the three-day deadline.

Ireland has consistently faced criticism for the slow progress of its investigations, especially as other EU data regulators have successfully—and quickly—taken on another tech giant, Google, for GDPR violations, despite not being the company’s lead supervisory authority.

While Google has its European headquarters in Ireland, all three of its GDPR fines have been handed down by other EU agencies. France’s data protection authority (CNIL) fined Google €50 million (U.S. $57 million) in January 2019 for failing to provide users with transparent and understandable information on its data use policies, while the Swedish Data Protection Authority fined it 75 million Swedish Kroner (U.S. $7.6 million) in March for failing to delist personal information as previously instructed. In July the Belgian Data Protection Authority fined the search engine €600,000 (U.S. $670,000) for its refusal to delete search results linked to a Belgian public official, thereby violating the GDPR’s “right to be forgotten” provision.

Experts say each of these cases was as complex—if not more so—than Ireland’s completed investigation into Twitter. Still, lawyers and data experts are unsurprised Article 65 has been triggered.

“Inevitably, obtaining a consensus of opinion between 27 countries is not straightforward,” says Jane Sarginson, barrister in the regulatory practice at law firm St Philips Chambers.

“If anything, it might have been a surprise had the matter been resolved without the dispute resolution mechanism been triggered,” says Helen Davenport, partner at law firm Gowling WLG. “However, this latest development will do nothing to quieten those who have argued that the Irish DPC should be acting faster or those calling for evidence of action against Big Tech companies.”

Another lawyer, who declined to be named, added “reading between the lines, I think the Irish DPC wanted to kick it up to the EDPB to decide in the same way that it wanted the Court of Justice of the EU to decide the Privacy Shield case. And, to be honest, who can blame it? There’s so much riding on getting the decision right.”

Experts also point out there were bound to be differences of opinion given the “derogations” and “exceptions” inherent in the GDPR, which allow EU member states to take their own approach on some issues.

“Divergence is built into the GDPR,” says Camilla Winlo, director of consultancy at data privacy specialists DQM GRC. “There are areas where member states explicitly have the right to make local decisions, such as the age at which a child should be considered capable of consenting in their own right.”

“It is also worth bearing in mind that the GDPR is a relatively young principles-based regulation in a rapidly evolving environment, so at this stage it is both appropriate and healthy for there to be diverse thinking across regulators and sharing of views about how to interpret and enforce the requirements,” adds Winlo.

Others are less concerned about whether there is divergence in approach and more interested in disclosing the areas that data protection authorities disagree on. Tim Mackey, principal security strategist at the technology firm Synopsys’ Cybersecurity Research Center, says that while there will always be differences in opinion for how individual DPAs adjudicate the cases presented before them, “it’s my hope that the nature of the disputed outcome is disclosed so that businesses seeking to remain compliant are aware of how dissenting DPAs viewed the violations under review.”

Yet experts cannot shake off the idea that the clear differences in enforcement approach among data protection authorities has had an impact on the inability to bring agreement with regards to Ireland’s draft Twitter decision. Sarginson says that “the general lack of apparent enthusiasm for some authorities to enforce the regulation has led to divergences in approach to enforcement.”

Winlo, however, cites budgetary constraints as a key factor. “There is a clear disconnect between the theoretical powers vested in regulators and their practical ability to exercise them,” she says.