Two-and-a-half-years after going into effect, the European Union’s new privacy law has its first fine for a U.S. tech company in a cross-border case—an overdue development, critics say.
Ireland’s Data Protection Commission said on Tuesday that it is fining Twitter Inc. TWTR 3.62% €450,000, equivalent to about $546,000, for failing to document or properly notify the regulator within 72 hours of learning of a data breach disclosed in January 2019 that exposed some users’ private tweets.
“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers,” said Damien Kieran, Twitter’s chief privacy officer, adding that the delay in notification was an “unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day.”
The case is a bellwether because it is the first in a long pipeline of privacy cases involving big U.S. tech companies in Ireland, involving companies such as Facebook Inc., Apple Inc. and Alphabet Inc.’s Google. Ireland’s data commission leads enforcement of the EU’s General Data Protection Regulation, or GDPR, for those and other U.S. companies that have their regional headquarters in the country.
From start to finish, it has taken nearly two years for Ireland’s data commission to arrive at a decision in the Twitter case, including nearly five months for the commission and its counterparts in other EU countries to squabble over jurisdiction, investigatory scope and the amount of the fine. That is fueling frustration among some privacy activists and EU privacy regulators that the bloc’s enforcement is too slow.
“We are coming to a turning point where the GDPR really needs to start delivering,” said David Martin, senior legal officer at BEUC, an umbrella organization for European consumer-rights groups that is a strong supporter of the law. “The credibility of the whole system is at stake if enforcement doesn’t improve.”
One sign of that frustration is that some other regulators are starting to push their own privacy cases using laws other than the GDPR, said Paul Nemitz, principal adviser on justice policy for the European Commission, the EU’s executive arm. Last week, France’s privacy regulator, the CNIL, fined Google and Amazon.com Inc. a combined $163 million for violations of a separate rule called the ePrivacy directive. That allowed the CNIL effectively to side-step the power sharing with other EU privacy regulators built into the GDPR, known as the one-stop shop.
“It is important that the lead authority for Google and other tech companies enforce GDPR properly to preserve the functioning of the one-stop shop,” Mr. Nemitz said.
Helen Dixon, the head of the Irish Data Protection Commission, which is responsible for enforcing the GDPR for Google, said that GDPR enforcement and power sharing is a work in progress, and that her office has been handling its cases methodically to make sure that its decisions stand up to expected court challenges.
“Am I satisfied? No. The process didn’t work particularly well. I think it’s too long,” Ms. Dixon said of the Twitter case in an interview broadcast at a tech conference earlier this month. “On the other hand, it is the first time EU data-protection authorities have stepped through the process, so maybe it can only get better from here.”
A spokesman for the Irish data commission said its decision was the first one to go through the GDPR’s dispute-resolution process and marked the first time an EU privacy regulator had consulted all of its EU counterparts on a decision involving a big tech company.
The case stems from a security hole that Twitter said it fixed in January 2019 that, over a period of more than four years, exposed the private tweets of some users. Ireland’s investigation later found that the company’s data-protection officer wasn’t copied on an incident ticket initially, leading to a delay in notifying the regulator.
In May 2020, after 15 months of investigation and at least four rounds of back-and-forth with Twitter, Ireland’s data commission sent a draft decision finding Twitter in violation of breach-notification rules to its counterparts as part of a comments process stipulated in the GDPR, according to a timeline provided by European Data Protection Board, which is composed of the privacy regulators from all 27 EU member states. Several raised objections on an array of points—some of them contradictory. In August, Ireland triggered a dispute-resolution process at the European board.
One major source of contention was the fine. The GDPR allows privacy regulators to fine a company up to 2% of its global annual revenue—or $60 million, based on Twitter’s 2018 revenue—for failure to properly notify the regulator of data breaches. But the Irish data commission recommended a fine of only 0.25% to 0.5% of that maximum because it found the violation was negligent, not intentional or systematic. Hamburg’s privacy regulator, representing Germany, wanted a more dissuasive fine, citing a range between €7 million and €22 million, according to the European board.
In early November, the board issued its final decision on the disputes, siding with Ireland on all the issues apart from the fine, which it ordered the data commission to increase, but without specifying an amount.
The €450,000 fine Ireland assessed was about two-thirds higher than the top of the range it had originally proposed. The regulator described it as “an effective, proportionate and dissuasive measure.”
The next cases nearing completion in Ireland include one involving the chat service WhatsApp, one of 14 cases that the country’s data commission has opened into Facebook and its subsidiaries.