In October of 2021, the Circuit Court confirmed the Data Protection Commission’s (“DPC”) decision to fine Twitter €450,000. The DPC had found that Twitter had failed to comply with various obligations regarding the notification of data breaches to the DPC, including the requirement to notify the DPC within 72 hours of becoming aware of the breach.
The Circuit Court confirmation of the earlier DPC decision flew somewhat beneath the radar as, approximately one month earlier, the DPC announced its decision to fine WhatsApp Ireland Ltd €225 million for failure to meet the transparency requirements required by the General Data Protection Regulation (“GDPR”). That decision is currently the subject of judicial review proceedings in the Irish High Court.
The Twitter fine confirmation provides an important reminder to organisations of their obligations in relation to notification of data breaches to the DPC within the 72-hour notification period.
Article 33(1) of the General Data Protection Regulation requires a data controller to report a personal data breach to the relevant supervisory authority, being the DPC in this instance, “without undue delay and, where feasible, not later than 72 hours after” it becomes aware of it, unless the data breach is unlikely to result in a risk to the rights and freedoms of individuals.
The data controller of the relevant personal data in this instance was Twitter International Company (TIC) which is an Irish registered company. Twitter Inc., based in the United States, was acting as a data processor for TIC.
The data breach, which occurred at TIC’s processor, Twitter Inc., related to a bug whereby if a Twitter user with a protected account, using Twitter for Android, changed their email address, their account would become unprotected. The bug was discovered by a contractor of Twitter Inc on 26 December 2018. Due to internal delays, in part due to the Christmas holiday period, TIC, the controller, was only notified of the breach on 7 January 2019 by Twitter Inc. TIC subsequently reported the breach to the DPC on 8 January 2019, well within 72 hours of having been informed.
The DPC’s decision
While TIC informed the DPC within 72 hours of being informed of the breach by its processor, Twitter Inc, the DPC argued that if TIC had effective measures in place, it would have become aware of the breach sooner and ought to have been aware of it on 3 January 2019, at the latest. Accordingly, the DPC found that 3 January was when the 72-hour time period to notify the DPC began to run, meaning the notification on 8 January was outside the 72-hour notification period.
This decision of the DPC demonstrates the expansive approach it has taken to the meaning of the word “aware” within the GDPR. Accordingly, it is no longer sufficient for a controller to rely on the time that they actually became aware of the breach as the starting point for the 72-hour notification period. Rather the controller must now consider, when they ought to have been aware of the breach, by reviewing potential failures or delays by the processor in notifying the breach to the controller.
In light of this decision, it is very important for controllers to ensure that they have robust notification processes in place for notifications of data breach by their processors to minimise the risk of a failure to comply with their notification obligation to the DPC.Back to Full News
Share this article:
About the Authors
Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.
Denise is an associate solicitor in the Commercial and Business team at Hayes solicitors. She advises clients on a variety of commercial and business law matters including drafting, negotiation and review of commercial contracts and advising companies and state bodies in relation to their data protection obligations under the General Data Protection Regulation.