On December 15, 2020, the Irish Data Protection Commission (DPC) announced the imposition under the General Data Protection Regulation (GDPR) of a €450,000 fine against the social media company Twitter for its delay in reporting to DPC a data breach the company sustained in late 2018. According to the DPC’s press release about the fine, the DPC’s inquiry concerning the Twitter data breach was the first to go through the GDPR “dispute resolution” process since the GDPR’s introduction and was also the first decision in a “big tech” case in which all EU supervisory authorities were consulted as Concerned Supervisory Authorities. The DPC’s December 9, 2020 order can be found here. The DPC’s December 15, 2020 press release can be found here.
Under Article 33 of the GDPR, a “controller” sustaining a data breach must notify the competent EU supervisory authority not later than 72 hours after learning of the breach. In Twitter’s case, the competent supervisory authority is the Irish data commission as it has its regional headquarters in Ireland.
On January 8, 2019, Twitter notified the DPC that “On 26 December 2018, we received a bug report through our bug bounty program that if a Twitter user with a protected account, using Twitter for Android, changed their email address the bug would result in their account being unprotected.” Twitter noted in its breach notification that “The severity of the issue – and that it was reportable – was not appreciated until 3 January 2018 [sic] at which point Twitter’s incident response process was put into action.”
On January 22, 2019, the DPC launched an inquiry pursuant to the relevant GDPR requirements. Among other things, the DPC determined that as a result of the “bug,” if a Twitter user operating an Android device changed the email address associated with a Twitter account, the account’s tweets were accessible to the wider public without the user’s knowledge. Twitter advised the DPC that September 2017 and January 2019, 88,726 EU and EEA users were affected by the bug. It is possible that other Twitter users were affected prior to September 2017. The Wall Street Journal’s December 15, 2020 article about Twitter’s GDPR fine quotes a Twitter spokesman as saying that its insufficient notification was an “unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day.”
After a lengthy inquiry process, in April 2020, the DPC prepared a draft decision for the consideration of the other EU supervisory authorities (though the European Data Protection Board, which is composed of the privacy regulators from the 27 EU member states). Among other things the draft decision included the DPC’s determination that Twitter had not complied with Article 33’s data breach notification requirement, both in terms of timeliness and in terms of documentation. In its draft decision, the DPC recommended that a reprimand and an administrative fine be imposed on Twitter. The draft decision specified a fine within a proposed range of between $150 000 to $300,000, which the EDPB advised needed to be increased. The final decision set the amount of the fine at €450,000 (or roughly $545,000 at current exchange rates).
The DPC’s decision making and in particular its imposition of a fine against Twitter represent landmarks in the application of the GDPR to data breaches and privacy issues with regard to cross-border data breach incidents involving a large technology company. It has taken longer than was anticipated when the EU data regulation first went into effect for the regulatory regime to begin to take effect, and the process involved has come in for significant criticism, but the fact is that a country data regulator has taken this step.
To be sure, the DPC’s fine imposed against Twitter is not the first administrative fine to be imposed under the GDPR. For example, in October 2020, the U.K. data regulator imposed a fine against Marriott of £14.4 million (reduced from the originally proposed fine amount of £99 million). According to press reports, the reduced fine reflected several factors, including Marriott’s response to the data breach incident, as well as concerns over the impact of the coronavirus outbreak on the company. The UK regulator’s actions regarding Marriott follow the regulator’s actions earlier in October 2020 regarding British Airways, in which the regulator imposed a fine on the airline company of £20 million — reduced from the originally proposed fine amount of £184 million; the fine amount was reduced in recognition of the impact on the airline of the pandemic.
Although the Twitter fine was not the first under the GDPR, it is still significant because there is, according to the Journal, a “long pipeline of cases involving big tech companies in Ireland,” including, among others, Facebook, Apple and Google. The Journal article quotes privacy activists as expressing their hope that the Twitter decision will help to break the logjam.
Just the same, the Twitter ruling has come in for sharp criticism from some privacy activists, who are concerned both about the amount of time the process took and about the size of the fine. One reason for the delay was the protracted consultations between the Irish regulator and the other EU data-protection authorities after the Irish regulator issues its draft decision; the process clearly is many-layered and cumbersome.
The activists’ criticism of the amount of the award is based the range of award amounts that the GDPR permits. The GDPR allows privacy regulators to fine a company up to 2% of its global annual revenue (which the Journal reports would translate into a fine of $60 million based on Twitter’s 2018 revenue). However, in setting the amount of the fine, the DPC determined that a fine in a lesser amount was justified because the violation was negligent, not intentional or systematic.
Even if the fine against Twitter is relatively modest, it still represents a significant milestone in the development of privacy-related regulation, as well as a milestone in the evolution of corporate liability exposures based on privacy-related issues. The regulatory process may be cumbersome, but the fine against Twitter, the prior fines against Marriott and British Airways, and the pipeline of pending cases involving other tech companies all underscore the fact that privacy-related exposures, both under the GDPR and otherwise, are now an important and growing part of potential corporate liability exposures.
As I noted earlier this year with video teleconferencing company Zoom was hit with a securities class action lawsuit based on alleged misrepresentations concerning the privacy of its video platform, privacy- related issues are likely to be a growing source of claims against companies and their directors and officers, and not just because of the risk of regulatory actions. To be sure, the regulatory risk is an important exposure, and could also result not just in regulatory enforcement actions, but also follow-on actions as investors and others allege that companies either failed to take steps to protect the company against regulatory action or misrepresented the level of its regulatory compliance. No matter how you slice it, privacy-related issues and concerns represent a significant potential future source of corporate liability exposures.
One final note: that is the fact that both Twitter and Marriott are both U.S.-based companies, yet both have been the subject of regulatory action in the EU that resulted in fines. The point that should not be lost here is that companies outside the EU face regulatory scrutiny and potential regulatory enforcement from EU data regulators under the GDPR.