Twitter inches closer to first cross-border GDPR penalty

Twitter is inching closer to becoming the subject of the Irish Data Protection Commission’s first major cross-border GDPR decision.
The European Data Protection Board (EDPB) has adopted its first Article 65 decision – meaning at least a two-thirds majority of EU DPAs have backed coming to an enforcement decision into Twitter’s GDPR compliance.
In 2019, Twitter publicly announced an own-violation of its private tweets feature, stating that some private tweets on Android devices may have been exposed to the public during the years 2014 to 2019.
Twitter’s lead regulator in the region, Ireland’s Data Protection Commission (DPC), began investigating the
breach in November 2018 and completed the probe earlier this year.
The DPC submitted a draft decision to other EU DPAs for review on 22 May 2020, but many EU watchdogs – who have the right to raise objections on draft decisions where users in their countries are affected – were not happy with the DPC’s draft Twitter decision. These objections have not been made public.
Following a consultation between the DCP and EU supervisors, a number of objections to the draft were maintained, according to Graham Doyle, the DPC’s deputy commissioner. The DPC rejected the objections, as they were not “relevant and reasoned”, according to the EDPB.
As a result, the matter was referred to the European Data Protection Board (EDPB) under Article 65 of the GDPR – a process that handles objections on draft decisions – to initiate “the dispute resolution procedure”. Under Article 65, DPAs have one month to reach a two-thirds majority.
Yesterday (10 November), the EDPB announced its first decision on Article 65, meaning that Twitter incident in question may result in the Irish DPC’s first enforcement decision in a cross-border GDPR case. The EDPB’s statement says:
“The Irish SA shall adopt its final decision on the basis of the EDPB decision, which will be addressed to the controller, without undue delay and at the latest one month after the EDPB has notified its decision. The LSA and CSAs shall notify the EDPB of the date the final decision was notified to the controller.”
Andrea Jelinek, board chair of the EDPB told Tech Crunch, “I can confirm that the Irish DPC has triggered an Art 65 procedure and that the EDPB will work on this issue [as] foreseen in Art 65 GDPR (dispute resolution by the board) within the given timeframe.”

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.