The Irish Data Protection Commission had initially proposed a lower fine of €135,000-€275,000 against Twitter for a data breach but was directed to set a bigger fine to deter future breaches.
Twitter was ultimately fined €450,000 by the Data Protection Commission for the breach, marking the first time the regulator penalised a “big tech” company under EU data privacy rules.
The Irish watchdog started an investigation into Twitter in January 2019 after the social media giant posted users’ private messages in public.
The commission found that it breached the EU GDPR rules by failing to notify the breach on time to the watchdog and by failing to adequately document it.
In consultations with other national regulators in the EU on a potential fine for Twitter, Germany’s data protection commissioner objected to the size of the lower fine initially proposed, arguing that it was “too low” and “not dissuasive” to deter further infringements and confidence in the law.
The German regulator believed that the fine should range from €7.3 million to €22 million, according to the European Data Protection Board’s decision on the dispute over the proposed fine among the various national data protection authorities within the EU.
It said that “the dissuasive effect of high fines can only be achieved if the amounts imposed cannot be easily paid because of large assets or high income” and that a “dissuasive fine” would have to be “so high that it would render the illegal data processing unprofitable”.
Twitter could have been fined up to $60 million, based on a cap of 2 per cent of turnover and the company’s annual turnover of $3 billion in 2018 considered by the Irish regulator as the lead supervisor in the case.
The Irish regulator’s proposed fine was 0.005-0.01 per cent of Twitter’s annual turnover or 0.25-0.5 per cent of the maximum potential fine.
Sensitive data
The Austrian Data Protection Authority objected to the size of this proposed fine, arguing that at least 88,726 people were affected by the data breach “but probably more” and that it was “very likely that sensitive data were disclosed to the broader public”.
It argued that the fine could equate to a minimum of 1 per cent of Twitter’s annual turnover, roughly €25 million.
The Hungarian regulator said that the proposed fine was “unreasonably low, disproportionate and thus not dissuasive in view of the gravity of the committed infringement and [Twitter’s] worldwide market power”.
The Italian regulator asked for the proposed fine to be reviewed, arguing that it would have an effect not just on the case “but also on any data breach that may occur in the future”.
It raised the “significance of the risks for the rights and freedoms of data subjects with respect to the quantification of the fine”, the board said of the Italian objection.
The EU oversight board eventually asked the Irish regulator to increase the fine to be imposed and to “reassess the elements it relies upon” to calculate the fine to “ensure it is appropriate to the facts of the case”.
The board said that the Irish regulator in its draft decision “should have given greater weight to the element relating to the nature, scope and negligent character of the infringement and therefore consider that the proposed fine range should be adjusted accordingly”.