Personal data breach mismanagement and the Twitter case

03 February 2021

by František Nonnemann

Twitter International Company (TIC), part of the Twitter Group, was fined 450.000 EUR by the Irish data protection authority for insufficient data breach management. The Irish Data Protection Commission found that TIC did not report significant data breach in the time limit of 72 hours as stated by the General Data Protection Regulation (GDPR). Furthermore, the company did not have the process for data breach management under full control and did not keep appropriate records of all data breaches that occurred.

As the nature of this case is cross-border, we can see an important example of how various other EU Member States supervisory authorities were involved. Most importantly,  the European Data Protection Board (EDPB) had to intervene because of a disagreement between multiple national supervisory authorities. For the first time the EDPB decided on the disagreement between supervisory authorities on GDPR interpretation in an individual case. While the EDPB did not accept any of the objections against the legal qualification, it did however double the final amount of the fine.

After the EDPB’s decision, the Irish supervisory authority issued the final decision on 9th December 2020.

Publishing the tweets against the users’ will

TIC is a personal data controller for the data of customers from the whole world except for the US. Another member of Twitter Group, namely Twitter Inc., is the personal data controller for US customers. Twitter Inc., TIC’s parent company, provides TIC with several services including ICT services.

The timeline and differentiation between the stakeholders are crucial for this case: One of the contractors of Twitter, Inc. found a bug causing potential privacy issues on 26th December 2018. The bug caused the tweets to be published to an unlimited audience. This happened while the profile holders had this data under private mode when only their connections should be allowed to see their contributions. The contractor reported the bug to Twitter, Inc. on 29th December 2018. Internal investigation in this company started on 2nd January 2019 and TIC, as the data controller who is finally responsible and accountable for the data protection of its clients, was informed on 7th January 2019, 12 days after the bug was found. TIC notified the Irish Data Protection Commission on the breach the next day, i.e., 8th January 2019.

Data security was not inspected; only the data breach management was

The Irish supervisory authority lays out a very limited scope of the inspection: Only the data breach reporting obligation and the duty to keep records of all data breaches were in scope of the inspection.

Some national supervisory authorities, however, indicated that the above definition is too narrow. For example, the German supervisory authority asked to broaden the scope of the definition and include the whole data security at TIC environment. Similarly, the French authority asked to provide a deeper investigation to the data controller (TIC) and data processor (Twitter Inc.,) relations, rights, and obligations.

The EDPB did not uphold any of these objections. The Board stated that the inspection scope definition is broad in terms of the leading supervisory authority, which in this case is the Irish Data Protection Commission. Nevertheless, the EDPB added that the scope should be defined in the way which allows the concerned supervisory authorities to undertake their relevant part in the cross-border supervision. This also includes the application of the one-stop shop mechanism.

A subsidiary could be a data controller

The Irish authority stated the TIC was a personal data controller and that Twitter, Inc. is a personal data processor for the inspected business model. Several supervisory authorities from other Member States objected against this finding. For example, the Spanish authority commented that Twitter, Inc. should be considered as a data protection controller because the entity was deciding on the purposes and means of the Twitter clients’ data processing. Furthermore, the German authority saw all involved Twitter companies as joint controllers. This is because the system for data processing was originally set-up by Twitter, Inc., but modified for some categories of clients based on the instructions of TIC.

The EDPB stated that those kinds of objections were generally legitimate because the role of the subject taking part in the data processing is crucial for them taking responsibility. On the other hand, the EDPB did not change this part of the Irish authority decision, mostly for formal reasons. The EDPB explained that the objections did not clearly demonstrate the significance of the risks posed by the draft decision for the fundamental rights and freedoms of data subjects as required by GDPR.

The data controller is finally responsible for proper data breach management

The Irish supervisory authority also focused on the TIC’s responsibility for the partially outsourced ITC security processes.

TIC argued that it has proper data breach escalation and notification processes set up with Twitter, Inc. Allegedly, this process worked well and the TIC was always notified very quickly about any previous incidents. A delay in this case  was caused by a human error during the holidays at the end of year.

The authority found that there was a breach of TIC’s reporting obligation based on the GDPR. The internal investigation of the incident at Twitter, Inc. started after several days once the company became aware of it. This was the root cause for the late data breach notification. Furthermore, the Irish authority stated that the final responsibility for data breach processes including the timely reporting of the breaches shall be with the data controller. This principle applies in the case when one or more vendors and / or data processors, are included in the incident handling process. If the data controller is not informed about the incident in a timely manner by its vendor, then the incident handling process cannot be carried out properly. In this case, Twitter, Inc.’s actions was the cause of the delay in reporting the incident. TIC was then subsequently not able to meet the 72 hours deadline for the data breach notification.

No objections from other supervisory authorities were raised against this part of the decision.

A data breach register must be able to demonstrate GDPR compliance

A personal data controller is obliged to keep the document on all personal data breaches. This documentation shall contain all relevant information about the data breach, its root case, consequences for the data subjects and remedial actions taken by the controller. This documentation shall enable the supervisory authority to verify data controller compliance with GDPR in relation to data breach management.

The Irish supervisory authority found that TIC failed to keep appropriate documentation on the data breach. TIC provided the Irish supervisory authority with a lot of documentation about the particular breach, from the initial bug reports and screens from internal communication to the final incident report. This documentation contains information about the incident but, according to the authority’s final decision, other important parts were missing. For example, the documentation neither included reasons for qualifying the incident as a personal data breach nor did it contain a description of the breach impact on data subjects and its severity. Therefore, the data controllers’ steps were not auditable and verifiable, and the supervisory authority was not able to adequately check their compliance with GDPR.

The other supervisory authorities’ concerns did not raise any substantive objections to this conclusion either.

The fine was doubled

The Irish Data Protection Commission originally intended to fine TIC to an amount between 135.000 to 275.000 EUR. The sanction scope for such a breach in GDPR is a fine of up to 10 million EUR or up to 2 % of the data controllers’ group total worldwide annual turnover of the preceding financial year, whichever is higher. TIC is part of Twitter Group; the sanction limit was therefore set to 60 million US dollars for the relevant period.

The authority justified a relatively smaller fine by the negligent nature of the breach, its severity and impact and by the remedial actions already taken by TIC. Several EU supervisory authorities objected to this. The Austrian authority, for example, did not agree with the negligent nature of the breach due to the fact that TIC had to know about the weaknesses in their incident handling process. The German and Hungarian authorities objected to the fine for not being proportionate and dissuasive from both the severity of the breach and the data controller’s position.

The EDPB decided in favour of these objections. The EDPB agreed that the original fine cannot be seen as effective, proportionate and dissuasive in this particular case. The Irish supervisory authority then doubled the fine to the above mentioned amount of 450.000 EUR.

How can we improve data breach management?

Three main points should be taken into careful consideration from the EDPB and Irish Data Protection Commissions’ decision:

  • Data breach management represents a crucial obligation that needs to be performed by a personal data controller. A personal data controller is ultimately liable even if one or more data processors or sub-processors are involved. If the data controller fails to notify a supervisory authority about the breach within the 72 hour time limit, even if the delay is because of an error made by its vendor, the data controller will remain liable for a breach in GDPR.
  • Data breach documentation shall be comprehensive and enable a supervisory authority to deeply verify the data controller’s compliance in the data breach management process. A data controller shall document not only the incident itself but also all relevant facts about its internal reporting, investigations, and the assessment on its impact and severity.
  • A supervisory authority from the data controller’s domestic state, a state where it has its main establishment, is still the most important one. Despite the one-stop shop mechanism introduced by GDPR, the EDPB was conservative with the revision of the legal qualification submitted by the Irish authority. The Board did not uphold any objection of the other supervisory authorities relating to the legal qualification of the breach, responsibilities of the stakeholders, or scope of the investigation, etc. The approach and communication with the authority in charge of leading the investigation remains an essential part of the inspection management process from the data controller’s point of view.

The author František Nonnemann has worked for 10 years at the Office for Personal Data Protection, among others as the director of the analytical department or the head of the legal department. Since 2016 he has been working in the financial sector, first as a commissioner for personal data protection and a client ombudsman in the MONETA financial group, and since 2019 as a compliance and operational risk manager in the fintech company MallPay. He lectures and publishes mainly on the topic of personal data protection, he is, among other things, a co-author of comments on the GDPR or the law on personal data processing. He is a member of the Committee of the Association for the Protection of Personal Data. He is also a blogger for the Czech/Slovakian language website of the Risk & Compliance Platform Europe.

Leave a Reply

Your email address will not be published. Required fields are marked *