Subscriber OnlyTechnology

Twitter’s modest fine for data breach highlights watchdog’s weaknesses

Net Results: EU regulators considering other mechanisms to route around Irish DPC

Finally, we've arrived at the end of a long tech regulatory limbo, awaiting a first decision that might indicate how the Irish Data Protection Commission (DPC) plans to enforce the General Data Protection Regulation (GDPR) against Big Tech.

Under GDPR's "one-stop shop" provision, EU data protection regulation for most of the world's largest tech companies falls to Ireland, as those companies have their European bases here.

Now, we have a glimpse of that regulatory intention. Going by this first case, we shall be spared the clattering noise of Big Tech’s collective knees knocking together in fear at the punishments awaiting them.

The big reveal this week was that Twitter will be fined €450,000 for a 2018 GDPR breach, the first financial penalty for a tech giant under the 2½ year-old law. Well, no one can accuse the DPC of a rush to judgement on this or other GDPR-related Big Tech complaints it is considering.

READ MORE

The Twitter case took nearly two years to conclude, in part because regulators in other EU states weren't satisfied when a draft decision was circulated earlier this year

In the Twitter case, its violation of GDPR and the consequent fine relates to a failure to inform the DPC of a data breach within a statutory 72-hour notification period, or to adequately document the problem.

The incident dates back to a December 2018 discovery that some Twitter users’ protected tweets – private tweets set to be visible only to a person’s followers – were open to other viewers.

The problem affected some Twitter users on the Android operating system from 2014, and was fixed in January 2019. The social media platform issued a statement this week in which it said the failure to report the problem was an “unanticipated consequence of staffing between Christmas Day 2018 and New Years’ [sic] Day”.

The DPC opted for a modest fine because it said that Twitter’s violation was unintentional. But other aspects of this case raise serious concerns – the fact that a 2014 protected tweet issue was only identified in late 2018 and patched in 2019. That’s a long time for private tweets to have been exposed, on a platform used by activists and campaigners, with well-documented problems with bullying and abuse.

The Twitter case also highlights critical problems with the “one-stop shop” regulatory approach. Notably, other EU national regulators are clearly unhappy with an Irish approach seen as business-friendly.

The Twitter case took nearly two years to conclude, in part because regulators in other EU states weren't satisfied when a draft decision was circulated earlier this year, so the DPC opted for a formal EU dispute mechanism. A key objection was to the proposed fine, initially only a third the size of the final, still-modest figure. Under GDPR, companies can be fined up to 4 per cent of annual turnover. Germany had suggested a more punitive €7million-€22 million fine.

Fine

As part of the resolution process, the European Data Protection Board, made up of all Europe’s data protection regulators, required the DPC to increase the fine. This week, the DPC stated its recalibrated fine was “an effective, proportionate and dissuasive measure”.

Critics swiftly disagreed. Austrian privacy activist Max Schrems tweeted: "Twitter got away with €450k as the first #GDPR fine by the DPC – 0.016% of their revenue in 2019… In other words: They need 1.5 hours to make that amount in revenue and pay that fine."

Schrems suggested that companies may choose a strategy of paying fines without contest, as court costs may exceed fines. He would know: the recent major decision from the European Court of Justice involving one of his complaints (the so-called Schrems 2.0 decision) was routed through the expensive Commercial Court by the DPC, with taxpayer-footed DPC costs subsequently rolling into millions of euro.

Paul Nemitz, principal adviser on justice policy for theEuropean Commission, told the Wall Street Journal that other EU regulators are considering ways to resolve complaints faster, with greater punitive force, by using other mechanisms that enable them to route around the Irish DPC.

France recently fit a complaint against Google and Amazon into the EU's ePrivacy directive, enabling a domestic decision and avoiding GDPR. The combined French fine totalled €135 million.

“It is important that the lead authority for Google and other tech companies enforce GDPR properly to preserve the functioning of the one-stop shop,” Nemitz pointedly told the WSJ. But the one-stop shop’s permanent, unavoidable weakness is that all significant regulatory decisions under GDPR will continue to fall to one small country’s regulator. Those deep-pocketed, well-lawyered companies are all here. Goliath is not facing an equal adversary, much less, so far, any indication of a David.

The proposed EU Digital Services and Digital Markets Directives, published in draft form this week, suggest one possible resolution.

Take out all GDPR complaints involving the largest tech companies, defined as extra-powerful “gatekeeper” companies subject to greater oversight under these new directives, and redirect and fast-track them to the collective European Data Protection Board.

Because the GDPR complaints procedure has to work faster, serve as a meaningful deterrent, and not have the ongoing Achilles’ heel of dependency on a single EU state.