The Irish Data Protection Commission (DPC), the EU’s lead enforcement authority in cross-border cases involving major multinationals, is about to deliver a landmark GDPR decision that is expected to set an important precedent for future cases that involve globe-hopping tech companies. The privacy regulator is set to rule on Twitter data breach incidents that took place in late 2018 and early 2019, wrapping up an investigation of over a year into whether the social media giant was in violation of Article 33 of the GDPR (which covers timely notification).
The privacy regulator also indicated that it is “making progress” on a number of other high-profile cases of this nature which could further shape enforcement standards, primarily in its inquiry of WhatsApp.
The Twitter GDPR decision
The DPC investigation of Twitter dates back to early 2019. Twitter experienced a relatively minor data breach in late 2018 that involved a vulnerability in a tech support form, and a separate breach in early 2019 in which protected tweets were made public. This particular probe focused on Twitter’s timely reporting of the breaches to authorities and platform users.
The investigation concluded in October; the DPC has been deliberating on the social media giant’s punishment, and has issued a private draft decision. There is a dispute process that involves the data protection authorities of the other involved countries, at the end of which the European Data Protection Board (EDPB) is brought in to contribute to a final decision. The DPC expects to announce the final terms sometime in July.
The decision will be the likely first step in addressing a recent wave of criticism of lax enforcement in cross-border cases. Critics contend that data protection authorities are not taking enough of an active role in these cases, particularly with the larger tech companies that focus on personalized advertising as a major source of revenue.
The slow development of cross-border protocols among privacy regulators
The DPC presides over Dublin’s “Silicon Docks,” which many of the world’s biggest tech names have chosen for their European headquarters due to Ireland’s beneficial tax terms. This has put the Irish privacy regulator on point for large-scale investigations that often span the entirety of the EU. While other data protection authorities participate, the DPC handles the lion’s share of this work.
This has led to a backlog of over 20 substantial cross-border cases, which involve some of the biggest names in tech: Apple, Verizon, Google, LinkedIn and Tinder among them. The DPC spearheads these investigations in addition to handling routine domestic cases.
DPC commissioner Graham Doyle stated that the privacy regulator had made significant progress on four additional cases, all involving platforms owned by Facebook. The main case being watched is the one against WhatsApp, which involves questions of sufficient transparency about user data practices under the terms of articles 12 and 14 of the GDPR. The DPC has delivered a preliminary decision to Facebook.
Each data protection authority ultimately has a say in these cases, as well as in the general standards of enforcement that these early decisions will help to establish. Something of a balance needs to be negotiated here, as the EU members vary in their desired penalties for the tougher data protection rules. Public pressure is growing across the EU for some sort of meaningful enforcement actions against the big tech companies, however, as the GDPR is now two years old and few major fines have been handed out to the world’s biggest processors of personal data.
The end result of these GDPR decisions will give all observers the first clear sign of exactly how tough the EU’s privacy regulators intend to be on the big tech firms. The only really significant decision of this type that has been finalized is the €50 million fine of Google by France’s CNIL that took place in 2019. The Facebook cases that DPC is presently examining is related to this GDPR decision; they involve complaints that the standards of informed consent are not adequate as there are too many steps in the process, and/or the documents informing users of their rights are not clear enough.
The potential for heavy fines is certainly there — the maximum fine that any company could face from a GDPR decision is 4% of its global revenue or €20 million, whichever amount is higher. The €50 million GDPR decision made by the French privacy regulator would be a heavy burden for most companies, but is a relative drop in the bucket for Google.
Companies also have rights to appeal these GDPR decisions, and some local authorities have overturned them. Spain’s Supreme Court recently overturned a GDPR decision against Microsoft that would have required the company to de-index any Bing search result URLs that contained both of an individual’s surnames even if not connected to a first name (a common naming convention in that country).
GDPR has been talked up as the world’s premier data privacy legislation, but it stands to lose considerable cachet if the fines from privacy regulators are not substantial enough to lead to meaningful change in how the big technology firms handle data processing.