The handling of data by social media companies is regularly debated by lawmakers and business leaders across the world. There have been a number of landmark events over the last 20 years resulting in calls for sanctions being placed upon large tech organizations companies, perhaps most famously the Facebook and Cambridge Analytica data scandal that saw the data of around 50 million users shared without their consent.
It was recently reported that Twitter is the latest social media organization to be sanctioned after being fined by Ireland over a bug that caused private tweets to be made public. Twitter were fined €450,000 (equivalent to around $546,000 the WSJ says) because in 2019 they failed to report the breach within the 72 hour statutory notice period given to organizations upon uncovering it. The breach meant that tweets made by accounts that should have been protected, may have actually been made public if users made certain changes to their account, such as changing the email address, between November 3, 2014, and January 14, 2019.
This ruling is unique as a US company has never been fined under the EU General Data Protection Regulation (GDPR) program before. The new set of data protection regulations were introduced in May 2018 and they replaced some regulations that were as much as twenty years old. The full GDPR text contains 99 articles and creates a framework for laws across Europe on how organizations can use data and how individuals can access the data about them. It took more than four years to agree on the final version and it does allow countries some flexibility to make small amendments when enshrining the document in their laws. It has been widely praised and “comparisons have been made with the subsequent California Consumer Privacy Act.”
Alongside this being a landmark ruling for the relatively new GDPR rules, the decision was also made using the new “dispute resolution” process. All of the EU counterpart regulators were consulted to make this decision on this global company for the first time. It did take almost two years for the decision to be made, including five months of discussion between the commission and equivalents in other EU countries, with some arguing that this is too slow. Helen Dixon is the head of the Irish Data Protection Commission which enforces the GDPR for Google, and the Wall Street Journal reported that at a tech conference earlier in December she said of the Twitter case: “Am I satisfied? No. The process didn’t work particularly well. I think it’s too long,”. She added: “On the other hand, it is the first time EU data-protection authorities have stepped through the process, so maybe it can only get better from here.”
On the ruling, the BBC reported that “The IDPC said it believed the fine was “an effective, proportionate and dissuasive measure””.
“Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation,” said Damien Kieran, Twitter’s chief privacy officer and global data protection officer, as reported in the Independent. He added: “We have a shared commitment to online security and privacy, and we respect the IDPC’s decision, which relates to a failure in our incident response process. An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.”
He also said: “We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”
Also in recent news regarding data privacy, The EU are also about to launch further tightening on social media organizations through the ePrivacy Directive, which will now encompass messaging apps from the 21st December. With this in mind, popular messaging platforms Facebook and Instagram have been changing some of their features in preparation for the new rules to take effect.
Group polls, adding nicknames to chat participants and some of the face filters that are available in Instagram’s direct messages are all among the features that have been removed. Facebook have opted to not release a full list of the features that have been deactivated as they hope to be able to reinstate some of these straight away if they are compliant with the new rules.
This is the first time a US company has been fined for breaching the EU GDPR data privacy rules and it will be interesting to note how, or if, this will impact upon any future rulings.