Despite “very divergent views” between EU data protection authorities over a case of data breaches by Twitter, a final decision on the bloc’s first major cross-border online privacy case is due to be published on December 17th, it has been revealed.
Irish Data Commissioner Helen Dixon said on Thursday (3 December) that talks with fellow EU data protection regulators had been beset by “high levels of dispute” on a final decision as to Twitter’s punishment following a 2019 disclosure on a bug in its Android app. The bug had led to some Twitter users’ protected tweets being made public.
Ireland is the European home to a number of US technology firms, making the data authority the EU’s lead regulator under the General Data Protection Regulation’s (GDPR) “One Stop Shop” mechanism, which allows companies that conduct cross border data processing to come under the remit of one data regulator.
Irish DPC’s ‘preliminary decision’
In May, the Irish Data Protection Commission had sent a preliminary decision in its probe of Twitter’s practices to the social media firm as well as to other member states – who, due to the cross border nature of the case, were permitted to raise objections on the decision.
For their part, EU national authorities did raise concerns with the preliminary position, in turn forcing the Irish regulator to invoke the GDPR’s dispute resolution process.
“I brought a draft decision to my co decision-makers in May and quite a range of objections were launched by those authorities against my decision,” Dixon said on Thursday.
“Because the objections conflicted in a number of cases, I was unable to resolve them and so I had to call upon the dispute resolution mechanism of the GDPR, which means that the European Data Protection Board steps in and resolves the dispute.”
The European Data Protection Board, the EU’s umbrella data protection authority, has for its part adjudicated on the case in order to address concerns raised by national authorities on the Irish DPC’s draft decision.
The final decision will now be made public on December 17th, Dixon said.
As to the process of managing the EU’s first major cross-border data breach, Dixon also struck a frustrated tone with regards to the “complexity” of coordinating with other EU data protection authorities.
“Am I satisfied? No, the process didn’t work particularly well,” Dixon said. “On the other hand, it is the first time EU data protection authorities have stepped through the process, so maybe it can only get better from here.”
Rules on sanctions under the GDPR allow regulators to enforce fines for violations of up to 4% of a company’s global revenue or 20 million euros, whichever is higher.
[Edited by Frédéric Simon]