| The EDPB announces but does not release its release on the dispute between SAs in the EU over the appropriate punishment for Twitter’s data breaches. |
The European Data Protection Board (EDPB) has used its powers under the General Data Protection Regulation (GDPR) for the first time to resolve a dispute between data protection authorities (DPA) in the European Union (EU) over an enforcement action. Unidentified DPAs had objected to the proposed action Ireland’s Data Protection Commission (DPC) had circulated, obligating the EDPB to utilize its Article 65 powers to craft a resolution to the disputed part of the action. The enforcement concerned 2018 and 2019 Twitter data breaches. Now, the DPC has a month to craft a decision on the basis of the EDPB decision unless the DPC challenges the decision in the Court of Justice for the European Union (CJEU).
The DPC submitted its draft decision to other DPAs on the Twitter breach in May in accordance with Article 60 of the GDPR. The DPC stated “[t]he draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR” (i.e. the provision pertaining to data breach and proper notification protocol. The DPC further explained
- This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies this week. Deputy Commissioner Graham Doyle has confirmed that: “In addition to submitting this draft decision to other EU supervisory authorities, we have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their final submissions which will be taken in to account by the DPC before preparing a draft decision in that matter also for Article 60 purposes. The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.“
- The DPC has also completed the investigation phase of a complaint-based inquiry which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing. This inquiry is now in the decision-making phase at the DPC.
In its statement this week, the EDPB said it “adopted by a 2/3 majority of its members its first dispute resolution decision on the basis of Art. 65 GDPR.” The EDPB stated
The Irish supervisory authority (SA) issued the draft decision following an own-volition inquiry and investigations into Twitter International Company, after the company notified the Irish SA of a personal data breach on 8 January 2019. In May 2020, the Irish SA shared its draft decision with the concerned supervisory authorities (CSAs) in accordance with Art. 60 (3) GDPR. The CSAs then had four weeks to submit their relevant and reasoned objections (RROs.) Among others, the CSAs issued RROs on the infringements of the GDPR identified by the lead supervisory authority (LSA), the role of Twitter International Company as the (sole) data controller, and the quantification of the proposed fine.
It appears from the EDPB’s statement that other DPAs/SAs had objected to the size of the fine (which can be as high as 4% of annual revenue), how Twitter violated the GDPR, and Twitter’s culpability based on whether it was the only controller of the personal data or other controllers may have also been held responsible.
The EDPB asserted:
The Irish SA shall adopt its final decision on the basis of the EDPB decision, which will be addressed to the controller, without undue delay and at the latest one month after the EDPB has notified its decision. The LSA and CSAs shall notify the EDPB of the date the final decision was notified to the controller. Following this notification, the EDPB will publish its decision on its website.
The EDPB also published FAQs on the Article 65 procedure.
More recently, the EDPB issued a draft of its construction of a key authority in the GDPR designed to guide and coordinate investigations that cross borders in the European Union (EU). An LSA is supposed to consider “relevant and reasoned objections” to draft decisions submitted by CSAs. If an LSA rejects such feedback, then the GDPR action gets kicked over to the EDPB. However, since this has only happened once, the EDPB thought it appropriate to define the term so all the EU DPA would understand what objections are relevant and reasoned.
The EDPB explained that the guidance “aims at establishing a common understanding of the notion of the terms “relevant and reasoned”, including what should be considered when assessing whether an objection “clearly demonstrates the significance of the risks posed by the draft decision.” The EDPB stated “[t]he unfamiliarity surrounding “what constitutes relevant and reasoned objection” has the potential to create misunderstandings and inconsistent applications by the supervisory authorities, the EU legislator (sic) suggested that the EDPB should issue guidelines on this concept (end of Recital 124 GDPR).”
Article 60 of the GDPR provides if a CSA “expresses a relevant and reasoned objection to the draft decision [of the LSA], the lead supervisory authority shall, if it does not follow the relevant and reasoned objection or is of the opinion that the objection is not relevant or reasoned, submit the matter to the consistency mechanism.” Article 65 also provides that where “a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead authority or the lead authority has rejected such an objection as being not relevant or reasoned,” then the EDPB must step in and work towards a final binding decision. This process was installed so that the enforcement of the EDPB would be uniform throughout the EU and to forestall the possibility that one DPA or a small group of DPAs would construe the data protection regime in ways contrary to its intention. As it is, there have already been allegations that some DPAs have been ineffective or lenient towards alleged offenders.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.
Michael Kans 