by Laura Fannin , Denise O’Shaughnessy December-06-2021 in Commercial & Business, Data Protection, Technology

In October of 2021, the Circuit Court confirmed the Data Protection Commission’s (“DPC”) decision to fine Twitter €450,000. The DPC had found that Twitter had failed to comply with various obligations regarding the notification of data breaches to the DPC, including the requirement to notify the DPC within 72 hours of becoming aware of the breach.

The Circuit Court confirmation of the earlier DPC decision flew somewhat beneath the radar as, approximately one month earlier, the DPC announced its decision to fine WhatsApp Ireland Ltd €225 million for failure to meet the transparency requirements required by the General Data Protection Regulation (“GDPR”).  That decision is currently the subject of judicial review proceedings in the Irish High Court.

The Twitter fine confirmation provides an important reminder to organisations of their obligations in relation to notification of data breaches to the DPC within the 72-hour notification period.

 

The obligation

Article 33(1) of the General Data Protection Regulation requires a data controller to report a personal data breach to the relevant supervisory authority, being the DPC in this instance, “without undue delay and, where feasible, not later than 72 hours after” it becomes aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of individuals.

 

Background

The data controller of the relevant personal data in this instance was Twitter International Company (TIC) which is an Irish registered company. Twitter Inc., based in the United States, was acting as a data processor for TIC.

The data breach, which occurred at TIC’s processor, Twitter Inc., related to a bug whereby if a Twitter user with a protected account, using Twitter for Android, changed their email address, their account would become unprotected. The bug was discovered by a contractor of Twitter Inc on 26 December 2018. Due to internal delays, in part due to the Christmas holiday period, TIC, the controller, was only notified of the breach on 7 January 2019 by Twitter Inc. TIC subsequently reported the breach to the DPC on 8 January 2019, well within 72 hours of having been informed.

 

The DPC’s decision

While TIC informed the DPC within 72 hours of being informed of the breach by its processor, Twitter Inc, the DPC argued that if TIC had effective measures in place, it would have become aware of the breach sooner and ought to have been aware of it on 3 January 2019, at the latest. Accordingly, the DPC found that 3 January was when the 72-hour time period to notify the DPC began to run, meaning the notification on 8 January was outside the 72-hour notification period.

 

Take-away

This decision of the DPC demonstrates the expansive approach it has taken to the meaning of the word “aware” within the GDPR. Accordingly, it is no longer sufficient for a controller to rely on the time that they actually became aware of the breach as the starting point for the 72-hour notification period. Rather the controller must now consider, when they ought to have been aware of the breach, by reviewing potential failures or delays by the processor in notifying the breach to the controller.

In light of this decision, it is very important for controllers to ensure that they have robust notification processes in place for notifications of data breach by their processors to minimise the risk of a failure to comply with their notification obligation to the DPC.

For further information or to discuss, please contact Laura Fannin lfannin@hayes-solicitors.ie or Denise O’Shaughnessy doshaughnessy@hayes-solicitors.ie from the Commercial and Business team.

Back to Full News