Twitter privacy breach enforcement delayed

In May 2020, the Irish Data Protection Commission (DPC) submitted a draft decision to other EU Data Protection Agencies (DPAs) in the case of Twitter’s 2018 data breaches. In this case, Twitter warned the DPC of a potentially disabled privacy setting for Android users. Since the violation affected users throughout the EU, the DPC had to send the draft findings of its probe to the EU DPAs. 

A number of objections against this draft decision were raised by the EU DPAs and the DPC engaged with them in a consultation process. However, the consultations were not able to resolve all the objections and the DPC has now referred the matter to the European Data Protection Board (EDPB) triggering for the first time a dispute resolution mechanism under the General Data Protection Regulation (Art. 65). The EDPB now has one month to adopt a decision supported by two thirds of the EU DPAs.

The Twitter breach case is closely watched as it would be the DPC’s first enforcement decision in a cross-border GDPR case and would have an effect on other major pending cases at the DPC (WhatsApp, Facebook, and others).