Following the decision of a majority of EU data supervisors to support a proposed settlement from the Irish Data Protection Commission (DPC), the enforcement of a General Data Protection Regulation penalty is imminent fir Twitter in relation to a privacy breach that the company publicly submitted during in 2019.
The vulnerability was discovered in the social media platform’s ‘Protect your tweets’ service. Twitter publicly revealed the flaw which was exposing the private data of a portion of the service’s users to the public Internet dating back to 2014. The lead supervisor authority in the legal action is the DPC. However. as the incident involves a company that has a foothold in a number of different EU member states all EU data protection agencies have an interest and the ability to make “relevant and reasoned” objections to the proposed settlement.
Similar to many other US tech companies, Twitter’s European headquarters is located in Dublin, which is the reason for the Irish Data Privacy Commission being the lead privacy regulator in matters relation to the social media platform’s work in the EU.
In a statemen made during August 2020 the DPC said “Following consultation a number of objections were maintained and the (Irish Data Privacy Commission) has now referred the matter to the European Data Protection Board.”
An announcement was made yesterday revealing that the European Data Protection Board (EDPB) has adopted its first Article 65 decision having received the support of a minimum two-thirds majority of the EU DPAs. It said: “On 9 November 2020, the EDPB adopted its binding decision and will shortly notify it formally to the Irish SA.”
It continued “The Irish SA [supervisory authority] shall adopt its final decision on the basis of the EDPB decision, which will be addressed to the controller, without undue delay and at the latest one month after the EDPB has notified its decision.”
Specific details in relation to any actual financial penalty Twitter may be sanctioned with are as yet unknown.