The breach arose because of a ‘bug’ in Twitter’s coding, whereby if a user on an Android device changed the email address associated with an account, protected tweets became unprotected, and accessible by the wider public, and not just the user’s followers.
The bug was discovered in December 2018 by an external contractor managing the firm’s ‘bug-bounty programme’, whereby anyone can submit a bug report.
The code bug was traced back to a November 2014 update.
Impact could have been wider?
Between September 2017 and January 2019, a total of 88,726 users were confirmed to be affected, though Twitter accepted that the impact could have been wider.
An inquiry began when the lead authority, the DPC, led by Hlen Dixon (pictured) decided the potential impact for affected individuals was “significant”.
The decision was announced this morning (15 December), concluding an investigation into GDPR breaches, which began in January 2019. The decision was finalised on 9 November.
The fine was calculated given the “nature, gravity and duration” of the data infringement. The initial decision also criticised Twitter for limiting remedial measures to forward actions, and apparent failure to carry out any risk assessment.
However, the DPC rowed back on an initial assessment of the breach as a “systemic” issue.
Duration of breach criticised
The duration of the breach was not “trivial or inconsequential”, the DPC found, and the regulator criticised the “negligent character” of Twitter’s unclear internal protocols.
The DPC found that Twitter infringed Article 33(1) and 33(5) of the GDPR, in terms of a failure to notify the breach on time to the DPC, and a failure to adequately document the breach.
The DPC described the €450,000 fine as “an effective, proportionate and dissuasive measure”.
Failure to meet data-controller obligations
The DPC concludes that the Dublin HQ of Twitter Inc, Twitter International Company (TIC), did not meet its obligations as a data controller under the GDPR, or its obligation to implement “appropriate and effective technical and organisational measures”.
Elements of the inquiry hinged on the relationship between TIC (as data controller) and Twitter Inc, (as data processor).
The DPC finds that TIC as controller was responsible for overseeing the processing operations carried out by its processor, Twitter Inc.
“The controller cannot excuse its own delayed notification on the basis of the processor’s fault,” the decision states.
Therefore, the controller must be considered as having “constructive awareness of the personal breach through its processor”.
It adds that TIC should have been aware of the breach by 3 January 2019, when as processor, Twitter Inc. first assessed the incident as a personal data breach.
The breach was not notified until 8 January
At that point, the Twitter Inc. legal team instructed that the incident be opened as a file. This delay led to the GDPR infringement.
Other supervisory authorities consulted
The draft decision in this inquiry was submitted to other “concerned supervisory authorities” in the EU, under Article 60 of the GDPR in May of this year, which regulates co-operation between the supervisory authorities.
There was legal argument between supervisory authorities in various member states as to the role of Twitter as, respectively, controller and processor of data.
One country authority highlighted that all employees of Twitter worldwide use the same computer system, and follow the same general policies.
The French authority questioned whether the risk of ‘forum shopping’ would be prevented by the DPC draft decision.
The main role of the European Data Protection Board (EDPA) is to ensure the consistent application of the GDPR throughout the EEA.
Failures of data-supervisory authorities
The EDPB in its decision finds that any objections raised by other countries’ data-supervisory authorities did not meet the requirements of the GDPR.
It notes that none of the country-specific objections challenged the conclusion that TIC infringed the GDPR.
The “… objections do not meet the threshold of providing a clear demonstration as to the significance of the risks posed by the draft decision as regards the fundamental rights and freedoms of data subjects … and the free-flow of personal data within the EU,” the EDPB says.
First dispute-resolution decision
This is the first decision to go through the Article 65 dispute-resolution process since the introduction of the GDPR.
The DPC report listed the factors it had considered in determining Twitter International Company’s status as controller and main establishment for the platform.
Twitter had previously confirmed in 2015 that it proposed to make TIC in Ireland the controller for personal data of Twitter users in the EU. TIC Ireland also initially notified the breach to the DPC.
Twitter has 170 employees in Ireland and employs a global data-protection officer for the purposes of the GDPR.
This DPO has the ability to veto data processing.