Twitter Data Case Sparks Dispute, Delay Among EU Privacy Regulators
August 20 2020 - 7:29AM
Dow Jones News
By Sam Schechner
European Union privacy regulators are clashing over how much --
if anything -- to fine Twitter Inc. for its handling of a data
breach disclosed last year, delaying progress of the most advanced
cross-border privacy case involving a U.S. tech company under the
EU's strict new privacy law.
The dispute, disclosed in a statement Thursday from Ireland's
Data Protection Commission, is one of the first major tests for
enforcement of the EU's privacy law, known as GDPR, which took
effect in 2018. It raises the specter of disagreements and delays
in nearly two dozen other investigations into Facebook Inc.,
Alphabet Inc.'s Google and other U.S. tech companies under the law.
Those investigations are led by Ireland's data commission because
the companies have regional headquarters in Ireland, but its
counterpart regulators in all 26 other EU countries can object in
cases that involve them.
The Irish privacy regulator said Thursday that it had triggered
a dispute-resolution mechanism among the bloc's privacy regulators
after failing to resolve disagreements over its draft decision in
the Twitter case -- the first time that process has been
started.
The Twitter case is a bellwether because it is the first in
which Ireland's data commission forwarded a draft decision to its
counterparts for comments, which it did in May. The case concerns a
security hole that Twitter said it fixed in January 2019 that, over
a period of more than four years, exposed the private tweets of
some users.
Ireland's data commission said in its 2019 annual report that
the focus of the case is on whether Twitter fulfilled its
obligation for a timely notification of the breach.
Twitter didn't immediately respond to a request for comment.
The Irish regulator declined to comment on which counterparts
had objected to its proposed decision, or on what grounds, but
objections could relate both to its substance and the amount of the
fine.
Under the EU's GDPR, regulators can fine companies up to 2% of
their world-wide annual revenue for failing to notify them of a
data breach within 72 hours, which could reach up to $69 million,
based on Twitter's 2019 revenue. The law however directs regulators
to take into account the gravity and duration of the violation, the
type of personal information at issue and other factors, such as
whether the violation was intentional or was part of a broader
pattern.
Ireland's data commission "engaged in a consultation process
with" other regulators to resolve their complaints," said Graham
Doyle, a deputy commissioner. "However, following consultation a
number of objections were maintained and the DPC has now referred
the matter to the European Data Protection Board," the body
representing all EU privacy regulators, he said.
A spokeswoman for the EDPB didn't immediately respond to a
request for comment.
The eventual outcome of the Twitter case will offer the first
indication of how the EU's power-sharing system among regulators
will work in practice. Under the law, in cases that involve
multiple countries, the lead regulator, such as Ireland's data
commission, sends its draft decision to counterparts. They have
four weeks to submit "relevant and reasoned" objections. There is
additional time left to approve revisions based on those
objections
Any disagreements the regulators can't resolve can be referred
to the European Data Protection Board, which decides in a vote.
That process runs for one month, but can be extended to two, and
then again by two weeks. Once the board approves a decision, the
lead regulator informs the company within a month, according to the
text of the law.
Write to Sam Schechner at sam.schechner@wsj.com
(END) Dow Jones Newswires
August 20, 2020 07:14 ET (11:14 GMT)
Copyright (c) 2020 Dow Jones & Company, Inc.
Alphabet (NASDAQ:GOOGL)
Historical Stock Chart
From Mar 2024 to Apr 2024
Alphabet (NASDAQ:GOOGL)
Historical Stock Chart
From Apr 2023 to Apr 2024