Twitter’s tiny $547K GDPR fine leaves many scratching their heads

The Irish DPC said the fine under the General Data Protection Regulation (GDPR) is an “effective, proportionate and dissuasive measure.” Others are underwhelmed, as the penalty is equivalent to the social media firm’s earnings made in 90 minutes.

The Irish DPC began its investigation in January 2019 after Twitter self-reported a data breach linked to its Android app late due to “an unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day.” The breach affected at least 89,000 people.

“The fine is just one aspect of the case. … The reputational damage to Twitter from admitting a breach is much more important than any financial penalty in this case because it will force the company to change its behavior, focus on compliance, and compel other companies to do likewise.”

Graham Doyle, Deputy Commissioner, Irish Data Protection Commission

In a statement over a series of tweets, Damien Kieran, Twitter’s chief privacy officer and global data protection officer, said the firm worked closely with the Irish DPC to support its investigation, adding that it respects the regulator’s decision.

“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur,” Kieran said. “We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”

The Irish DPC submitted its draft decision in May to the other EU data protection authorities (DPAs) under Article 60 of the GDPR, a process it had to follow since it was investigating on behalf of all the EU’s 27 member states.

However, following an overall lack of agreement between the DPAs, in August the Irish DPC passed the decision onto the European Data Protection Board (EDPB), the EU’s overall data protection authority, to resolve under the GDPR’s Article 65 mechanism. Sticking points included the size of the proposed fine, as well as a range of very specific, niche objections that provoked different DPAs to make “widely divergent” suggestions about how to resolve them, according to sources involved.

The EDPB delivered its decision on Nov. 9. The Irish DPC had until this week to make it public.

Many observers—including privacy campaigners, lawyers, and even other DPAs—have been left scratching their heads at why the company’s lead European regulator took so long to arrive at the decision it did, the level of penalty it has imposed, and why it sat on the EDPB’s decision for a further month when it could have been made public in November.

For context: Cost for all judicial cases against the DPC we had so far, far exceeded this amount - it is likely cheaper for Twitter to pay this amount than even bother fighting it in the courts.. May be the logic behind this amount..

— Max Schrems 🇪🇺🇦🇹 (@maxschrems) December 15, 2020

Some have also pointed to the fact the investigation was essentially straightforward: The breach was self-reported, and the case focused on relatively simple procedural elements—a failure to report and document—rather than an abuse of personal data or inherent problems with technology. As such, “the investigation should never have taken 15 months in the first place,” according to one lawyer.

Dispute among DPAs

The maximum fine for failure to notify a regulator of a data breach is €10 million (U.S. $12.1 million) or 2 percent of global revenues—whichever is higher. Twitter’s annual global revenues in 2018 were $3 billion, so 2 percent would have been $60 million.

Initially, the Irish DPC wanted to set the fine at between €135,000 to €275,000. The DPAs for Austria, Germany, Hungary, and Italy all complained that was too low and still hold that view. Germany, for example, wanted to impose a fine worth between €7.3 million and €22 million.

Three other DPAs—France, Spain, and the Netherlands—also objected, though the opposition is far short of the two-thirds majority needed to overturn the ruling.

Graham Doyle, deputy commissioner at the Irish DPC, contests “the fine is just one aspect of the case.” He adds that “the reputational damage to Twitter from admitting a breach is much more important than any financial penalty in this case because it will force the company to change its behavior, focus on compliance, and compel other companies to do likewise.”

Going forward, it is hard to see how Europe’s data regulators will be aligned in how they arrive at GDPR fines, especially in cross-border Big Tech cases (of which Ireland has another 25 to proceed with).

Speaking earlier this month, Irish Data Protection Commissioner Helen Dixon complained the process to reach a unified agreement with other supervisory bodies had taken too long, was overcomplicated, and “didn’t really work well.” However, she expressed hope that since “it is the first time EU data protection authorities have stepped through the process … maybe it can only get better from here.”

An appropriate penalty?

Some experts believe the “low” fine is largely in line with the level of harm caused, and that the Irish DPC’s decision is on the right lines.

Loretta Maxfield, a partner specializing in the GDPR and intellectual property at law firm Thorntons Solicitors, says the fine “meets the core requirements of being effective, dissuasive and proportionate, not just to Twitter, but to all organizations processing personal data.” She adds, “Because the decision is not tech-specific, it should be taken seriously by all organizations and not just Big Tech companies.”

Peter Galdies, director at data privacy consultancy DQM GRC, also believes the fine “is very much in the upper limits of what could have been levied considering all of the constraints.” He adds that “it is a lesson for us all” and “worth noting” the lack of detail in the documentation provided by Twitter regarding its breach notification procedures had a “considerable impact on setting the final fine.”

“The lessons to be learned here are simple,” says Galdies. “Plan for a breach, plan your notification process, don’t hesitate to accurately inform the regulator (which means don’t seek to minimize or obfuscate the facts), and document everything to a much higher degree of detail than you might have first considered.”