On December 15, 2020, Ireland’s Data Protection Commission (“DPC”) announced its decision to fine Twitter International Company (“Twitter”) €450,000 for failing to notify the DPC promptly of a data breach affecting EU personal data in compliance with the EU General Data Protection Regulation (“GDPR”). The decision received all the press coverage that is to be expected for any decision involving Big Tech and was the largest GDPR fine issued by the DPC to date. However, the significance of the decision really lies in the message that Controllers cannot escape their breach notification obligations due to failures on the part of their Processors.
- Controllers cannot shield themselves behind a Processor’s failure to act. The DPC noted that Controllers are responsible for ensuring there is an effective process in place that requires Processors to inform Controllers promptly of a personal data breach so that Controllers can meet their own obligations. If no such process is implemented, or if the process fails, Controllers will have constructive awareness of the data breach and will remain responsible for any failure to notify regulators of a notifiable data breach within the 72-hour timeframe. Although this decision centered around a failure to notify of a data breach, the reasoning behind the decision with respect to the culpability of Controllers is readily transferable to other situations where Processor actions cause a Controller to breach its GDPR obligations.
- All companies should consider how their policies and procedures play out in security incidents and, specifically with respect to Processor reporting, assess whether breach detection and reporting procedures are sufficiently robust. A written incident response plan can help ensure clear lines of communication, but just as importantly, Controllers must ensure they are carrying out appropriate checks on their Processors prior to engagement and continue to monitor implementation of appropriate procedures within their Processor organizations that are designed to eliminate the risk of data breach reporting delays or failures, including training Processor personnel in identification and escalation of security incidents, regular testing of procedures, audits, and documentation.
- The Twitter decision also considered the obligation to document data breaches and highlighted the need to ensure fulsome and specific recording of the facts, effects, and remedial actions taken, including a company’s assessment regarding the risks to data subjects. Recording generalized documentation generated in the context of a Controller’s management of an incident will not suffice.
- The case is also the first one to go through the GDPR “dispute resolution” process set out under Article 65 of the GDPR, meaning that all EU supervisory authorities were consulted by the DPC as concerned supervisory authorities.
The GDPR requires any company responsible for determining the purposes and means of processing personal data (a “Controller”) to notify relevant European authorities of certain personal data breaches within 72 hours of becoming aware of the breach. Service providers processing personal data on behalf of the Controller (“Processors”) are required to notify Controllers of the breach without undue delay. Controllers must keep adequate documentation of the personal data breach, including the facts relating to the breach, its effects, and the remedial actions taken.
The DPC (which acts as Twitter’s ‘lead’ privacy regulator on behalf of the entire EU due to Twitter’s European headquarters in Ireland) started an investigation against Twitter in January 2019, following receipt of a breach notification from Twitter. The breach in question, which occurred in December 2018, involved a bug in Twitter’s Android application whereby private tweets of select users were publicly exposed.
The DPC determined that Twitter did not notify the DPC of the breach within the GDPR 72-hour deadline and did not adequately document the breach. According to Twitter, the delay in notifying the breach to the DPC within the required timeframe resulted from a failure by Twitter, Inc., which acted as a Processor, to notify Twitter’s data protection officer of the potential breach when it became aware of the incident.
The DPC, however, determined that a Controller could not excuse delayed notification of a breach on the basis of a failure on the part of its Processor. Although the DPC noted that, in line with EU authorities’ GDPR data breach guidance, a Controller should be deemed to “become aware” of the breach when it is notified of it by the Processor, the Controller has a responsibility to ensure that it has sufficient measures and an effective process in place to facilitate prompt awareness and the timely notification of data breaches including where the processing is outsourced to a Processor. Where this does not occur and results in a delay in notification, according to the DPC the Controller shall be considered to have “constructive awareness” of the breach through its Processor.
A common perception amongst Controllers (and a defense put forward by Twitter) was that the 72-hour clock does not start until they actually become aware of a notifiable data breach, notwithstanding that a Processor may be aware of the data breach. On this interpretation, a Controller would never have to notify of a data breach affecting its Processor if the Processor does not itself notify the Controller. The DPC rejected this interpretation. Processors are required to assist Controllers in achieving compliance with the GDPR, however, this requirement does not amount to a shift in responsibility. Controllers are responsible for overseeing Processor operations and ensuring that Processors do in fact meet their obligations to notify Controllers of a data breach in a timely manner so as to enable Controllers to meet their own notification obligations. It follows that Controllers cannot hide behind the failure of a Processor. This is a crucial finding that highlights the importance of Controllers and Processors cooperating seamlessly in the context of security incidents giving rise to potential breach notification obligations. It also reiterates the need to ensure that clear data breach notification procedures are not only outlined in data processing agreements, but also that practical measures are taken to ensure Processors are appropriately educated and trained on those procedures and that those procedures are, in fact, followed. Expect to see far greater focus on data breach notification obligations in contracts, as well as additional leverage for Controllers wishing to minimize Processor attempts to limit liability.
As a secondary point, the DPC also found that Twitter did not maintain adequate documentation of the data breach as required by the GDPR, such as an incident report providing an explanation of the issues that caused the delay in notification to the DPC and the company’s risk assessment in relation to the breach. On this point, the DPC noted that the documentation of the breach provided by the company mainly consisted in documentation of a more generalized nature, such as various reports and internal communications, that were generated in the context of the company’s management of the incident. Such documentation, according to the DPC, did not contain sufficient information to allow the DPC to verify Twitter’s compliance with the GDPR data breach notification requirement.
FINE AND GDPR CONSISTENCY MECHANISM
The DPC initially proposed to fine Twitter approximately €135,000 to €275,000. In light of the cross-border nature of the processing of personal data that was the subject of the breach, the DPC, as the lead supervisory authority for Twitter, submitted its draft decision to other concerned EU supervisory authorities (who had raised a number of objections regarding some substantive aspects of the DPC’s proposed decision). The DPC and the supervisory authorities were ultimately unable to a reach a consensus, so the matter was referred to the European Data Protection Board (the “EDPB”) in accordance with the ‘consistency mechanism’ under Article 65 of the GDPR and the associated dispute resolution procedure.
This case represents the first time that the GDPR dispute resolution procedure has been used. The EDPB evaluated the matter and required the DPC to re-assess and increase the level of the fine in order to ensure it fulfills its purpose as a corrective measure and is dissuasive and effective. Following the EDPB’s decision, the DPC then increased the fine to €450,000 in its final decision to give appropriate weight to the scope and nature of the processing and the fact that the affected Twitter users had deliberately chosen to restrict the audience for their tweets. As mitigating factors, the DPC considered the relevant violations to be negligent rather than intentional and the steps taken by Twitter to rectify the bug that gave rise to the breach.
The fine is significantly lower than the maximum fine that the DPC was entitled to issue under the GDPR (up to 2% of a company’s global annual revenue for the preceding financial year for the type of violations concerned here). Interestingly (and perhaps of concern to multinational entities with EU cross border activities), certain of the other EU supervisory authorities involved in the proceedings were seeking much higher fines to ensure the fine was effective and dissuasive (for example, the German authorities requested imposing a fine of between €7.3 million and €22 million for the violations concerned).
Twitter’s proposition that a Controller’s performance of its obligations is contingent upon performance by a Processor of its own independent obligations was rejected by the DPC, who considered this position to be “entirely at odds with the overall purpose of the GDPR.” Although the DPC was clear that this decision focused solely on the data breach notification obligation, the finding that Controller obligations remain extant, notwithstanding Processor failures, is more broadly applicable. It also highlights that there must be a high bar for Controllers to establish they are “not in any way” responsible, and therefore can avoid liability, for damage caused by Processor activities.
Regulators are looking not only for the existence of policies and procedures around security incidents but for proper and effective accountability by Controllers, including ongoing training and maintenance and implementation of data security policies and procedures, together with detailed documentation. Inadequate oversight or failures to maintain tested protocols for handling of data breaches could, as much as anything, lead to notification failures or delays and, subsequently, fines from European or other authorities. Controllers will need to carefully consider their contractual, technical, and organizational measures as they relate to Processors in light of this decision, from the initial Processor due diligence and throughout the relationship.
On January 18, 2021, the EDPB published draft Guidelines 1/2021 on “Examples regarding Data Breach Notification”, which supplement the existing EU authorities’ guidance on data breach notification under the GDPR. The new Guidelines are aimed at helping Controllers in deciding how to handle data breaches and what factors to consider during risk assessment, with illustrative use cases for various types of security incidents, and are open for public consultation until March 2, 2021. We are hopeful that the Guidelines, once finalized, will give Controllers practical guidance on the steps, measures and documentations that EU authorities expect them to adopt in this area.