European data protection chiefs have paved the way for the first GDPR enforcement action against Twitter, after the Irish Data Protection Commission was forced to get their approval on the level of the punishment following demands for a tougher sanction.
The move was sparked by the Irish DPC’s draft decision over a Twitter breach, dating back to November 2018. As the case involved cross-border processing, the Irish regulator was required to cooperate with other EU data protection authorities (DPAs) on the case and submitted its proposal to them in May.
In August, it emerged that an unspecified number of other authorities had raised objections over the level of the punishment, forcing the European Data Protection Board – which is made up of all the DPAs in the EU – to intervene.
The EDPB has now announced that a majority of DPAs have backed the draft settlement. It said it has adopted its first Article 65 decision – referring to the mechanism for settling disagreements between the EU’s DPAs – meaning there was at least a two-thirds majority in favour of the action.
Ireland’s DPC now has up to a month to issue a final decision, although there has been no indication about the level of the penalty.
Even so, the decision has been a long time coming. In August last year, Irish Commissioner Helen Dixon said that her office’s first GDPR ruling was likely to be against Facebook-owned WhatsApp.
However, she conceded it was likely to take months rather than days to arrive at a formal decision, due to a statutory process of “examination and analysis”. In January this year, her office then said that a decision on Twitter was “imminent”; and now it seems, 11 months later, it really is.
The action would only be the Irish DPC’s third ruling since May 2018, when GDPR came into force. Its previous two fines, both against child and family agency Tusla, total just €115,000.
These place the Irish at 24th out of 29 countries when it comes to the value of fines issued, according to a recent analysis carried out by Decision Marketing; only the Isle of Man, Malta, and Croatia have issued fewer penalties.
ICO and Irish DPC ‘among the worst GDPR enforcers’
Irish data regulator issues first GDPR ruling in two years
EU chiefs force review of Irish draft GDPR Twitter ruling
WhatsApp and Twitter facing first major GDPR rulings
Top EU data cop cutback threat triggers EU complaint
Oops we did it again: Twitter admits fresh data gaffe
Twitter admits GDPR breach after exploiting user data