It has emerged the Irish Data Protection Commission’s €450,000 (£410,000) Twitter fine, issued yesterday for GDPR data breach failings, was greeted with a barrage of opposition from many of the leading EU data protection authorities (DPAs), who not only believed the penalty was too low but also questioned the Irish DPC’s competence.
The 47-page, 26,678 word ruling, published by the European Data Protection Board, shows that the Austrian, German, French, Hungarian, Spanish, Italian, and Dutch authorities were the ones which did not think the punishment was severe enough.
The document states that objections included the competence of the Irish DPC; the infringements of GDPR identified; the existence of possible additional (or alternative) infringements of GDPR; the lack of a reprimand; and the calculation of the proposed fine.
It is no coincidence that these DPAs are among the most punitive when it comes to GDPR rulings. According to a Decision Marketing analysis of data provided by the CMS.Law GDPR Enforcement Tracker, in October this year Spain’s data protection authority had already issued 143 fines, with Hungary (32), Italy (31) and Germany (27) all very active.
In comparison, the Twitter fine is only the Irish DPC’s third penalty, with the UK Information Commissioner’s Office – no longer part of the EDPB – on four.
In August, it emerged that other DPAs had raised objections over the level of the Twitter punishment, forcing the EDPB to intervene. Ultimately the ruling was passed by a two-thirds majority of the 28 DPAs. However, the issue does expose just how difficult cross-border GDPR decisions will be.
One industry source said: “This paltry fine will do little to bring tech giants into line; in fact it could do more harm than good as it exposes just how fragile GDPR is. If you have some of the biggest enforcers saying the penalty is too low, they are more likely to be put off forwarding complaints to the Irish and instead will opt to prosecute companies through their domestic laws instead.”
The French appear to have already lost faith in the one-stop shop system. Last week, data protection regulator CNIL fined Google and Apple a total of €135m (£123m) for cookie violations under the France’s data protection legislation and not GDPR. This meant that the investigation did not have to go through the Irish Data Protection Commission or be approved by other EU states.
Privacy organisation NOYB, fronted by Austrian Max Schrems, recently filed two complaints against Apple, in Germany and Spain, also under the ePrivacy Directive, insisting the move was a deliberate attempt not to trigger the cooperation mechanism of GDPR.
The CNIL ruling explained: “In its decision, the committee recalled that the CNIL is materially competent to control and sanction cookies placed by the companies on the computers of users living in France. Thus, it emphasised that the cooperation mechanism provided for by the GDPR was not intended to apply in this procedure.”
Twitter fined just €450,000 in first major Irish ruling
Ça alors! French shun GDPR to clout Google and Amazon
Apple cut to the core by new unlawful tracking claims
Irish data regulator ‘go-slow’ triggers judicial review
The end is nigh: EU chiefs finally sanction Twitter fine
ICO and Irish DPC ‘among the worst GDPR enforcers’
Irish data regulator issues first GDPR ruling in two years
EU chiefs force review of Irish draft GDPR Twitter ruling
WhatsApp and Twitter facing first major GDPR rulings