Breach
The completed inquiry relates to Twitter as a data controller based in Ireland, following receipt of a data breach notification from the controller.
The draft decision turns on whether Twitter International has complied with articles 33(1) and 33(5) of the GDPR.
Given the gargantuan figures in previous EU GDPR fines against large tech companies, and the consistency mechanism under article 63, Twitter is likely to be slapped with a large administrative fine if the DPC decides against the information network.
This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies in recent days.
The ramping up of enforcement levels follows a December 2019 opinion from Advocate General Saugmandsgaard Øe that the DPC should be proactive in enforcing the GDPR.
Data transfers
Exercise of the powers to suspend and prohibit data transfers, under GDPR, is “no longer merely an option left to the supervisory authorities’ discretion” the opinion says.
Proper application of the regulation is a requirement of the supervisory authorities, it continues.
The Opinion of the Advocate General is a preliminary stage in CJEU proceedings. The full court may depart from the decision and its logic, but is unlikely to do so.
The full court is scheduled to give its judgement in the Schrems case on 16 July next.
If it follows the reasoning of the Advocate General, then the DPC is likely to become a lot more proactive.
DPC Deputy Commissioner Graham Doyle has confirmed that a preliminary draft decision has also been sent to WhatsApp Ireland Limited for their final submissions.
Any response from Twitter will be taken into account by the DPC before its draft decision under article 60 is published.
The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of GDPR, in terms of transparency around what information is shared with Facebook.
When finalised, that draft decision will likewise be sent to other EU data protection agencies.
The DPC has also completed the investigation phase of a complaint-based inquiry which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing.
This inquiry is now in the decision-making phase at the DPC.
Draft inquiry
The DPC has also sent draft inquiry reports to the complainants and companies concerned in two further “big tech” inquiries – the Instagram and WhatsApp platforms respectively.
The CJEU has also said that it will deliver its judgment in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) on 16 July.
The case concerns the DPC’s High Court on the regulation of international data transfers under EU data protection law.
The commission says the eagerly-anticipated judgment will bring much-needed clarity to aspects of the law and will represent a milestone in the law on data privacy.
Article 60 concerns data protection agency co-operation in Europe where an organisation with multi-jurisdictional reach is being investigated by a "lead supervisory authority", such as the DPC.
This news follows the €75,000 fine levied on child protection agency Tusla last week for three data breaches.
Second decision
The DPC has also issued a second decision against Tusla and the child and family agency has 28 days to appeal that decision.
In his recent Opinion, Advocate General Saugmandsgaard Øe gave the view that the DPC should have been more proactive in dealing with matters, and that it was the duty of data protection regulators to proactively enforce the GDPR.
The Opinion of the Advocate General is a preliminary stage in ECJ and CJEU proceedings where a reasoned opinion as set out. It is open to the full court to depart from the decision, and the reasoning, in the Opinion, but it usually does not do so.
The full court is scheduled to give its judgement in the case on 16 July next.