EDPB Steps Into Twitter Investigation

The European Data Protection Board (EDPB) will soon have the opportunity to use a key power for the first time since its inception in order to resolve a dispute among data protection authorities (DPA) in the European Union (EU). Unnamed DPAs have objected to proposed ruling by Ireland’s Data Protection Commission (DPC), the lead DPA investigating 2018 and 2019 Twitter data breaches. Consequently, per the General Data Protection Regulation (GDPR), the disagreement has been handed off to the EDPB, and depending on how resolution of this matter happens, the body could decide Twitter’s punishment, including a possible fine of up to 4% of its worldwide revenue. What’s more, the DPC is the lead agency investigating Facebook’s WhatsApp and Instagram, among other large technology companies, and may have to relinquish those decisions as well if other DPAs disagree with the DPC’s proposed punishment for any wrongdoing.

The DPC submitted its draft decision to other DPAs on the Twitter breach in May in accordance with Article 60 of the GDPR. The DPC stated “[t]he draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR” (i.e. the provision pertaining to data breach and proper notification protocol. The DPC further explained

• This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies this week. Deputy Commissioner Graham Doyle has confirmed that: “In addition to submitting this draft decision to other EU supervisory authorities, we have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their final submissions which will be taken in to account by the DPC before preparing a draft decision in that matter also for Article 60 purposes.  The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.“
• The DPC has also completed the investigation phase of a complaint-based inquiry which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing. This inquiry is now in the decision-making phase at the DPC.

Article 65 of the GDPR provides that the EDPB will make a binding decision on an investigation where “a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected such an objection as being not relevant or reasoned.” In this case, at least one DPA has raised an objection to the DPC’s draft decision, thus triggering Article 65. Then the EDPB has a month to get two-thirds of its members to agree to a binding decision it may draft. If this is not achieved, then the Board has another two weeks to get a simple majority, and if this does not occur, then EDPB Chair  Andrea Jelinek alone may decide. Consequently, it is possible the EDPB redrafts the DPC decision and tries to get buy in from the DPAs that make up the Board to support a stronger punishment of Twitter.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by Roland Mey from Pixabay