The Dublin Circuit Court has confirmed the Irish Data Protection Commission’s (DPC) decision to impose a GDPR fine of €450,000 on Twitter for failing to report a data breach in time.
The court has now confirmed the “administrative fine” (GDPR fine) the DPC had imposed on the social media giant through its draft decision in December 2020. Back then, it was the first draft decision in a big tech case.
Details of the incident
Twitter disclosed a data breach in January 2019. A security flaw exposed private tweets from Twitter’s Android users for over four years. When a user with a protected account changed their email address, their account would become unprotected.
As per the General Data Protection Regulation (GDPR) mandate, Twitter notified the DPC. However, the DPC investigated the incident and found that Twitter failed to inform the authority within 72 hours. The company informed the DPC of the personal data breach on 8th January although it ought to have been aware of it at the latest by January 3rd, 2019.
As per Article 33 of the GDPR, any data controller shall notify a personal data breach to the supervisory authority within 72 hours. The supervisory authority is Irish DPC in this case since Twitter’s international headquarters are based in Ireland.
What’s the role of a court though?
The DPC “had the decision confirmed” in the Dublin Circuit Court. Ireland has passed the Data Protection Act of 2018 to give effect to GDPR.
As per Section 143 of the Act, where a data controller or processor does not appeal against a decision to impose fine, the Commission shall make an application in a summary manner to the Circuit Court for confirmation of the decision. The court then hears the application and confirms the decision, unless it sees good reason not to do so.
You can read the European Data Protection Board’s binding decision on the issue here.
Do subscribe to our Telegram group for more resources and discussions on tech-law. To receive weekly updates, don’t forget to subscribe to our Newsletter.