European data protection regulators are close to making an enforcement decision against the Twitter hack that the company disclosed publicly in 2019, after the majority of EU data watchers agreed to support a draft settlement previously submitted by the Irish Data Protection Committee.
Twitter revealed the error in the Protect your tweets feature at the beginning of last year, saying at the time: Some Android users, who had activated the feature to make their tweets non-public, may have had their data breached since 2014.
Meanwhile, a new data protection regime came into effect in the European Union in May 2018 – meaning that the 2014-2019 breach falls under the EU’s general data protection regulation.
The Irish Data Protection Commission is the main authority overseeing the Twitter case, but the cross-border nature of its work means that all data protection agencies in the European Union have an interest and ability to file “relevant and logical” objections to the draft. Objections to the Irish Data Protection Commission’s draft decision were duly raised over the summer – leading to the initiation of a dispute resolution process for cross-border cases set out in the GDPR.
The European Data Protection Council, a body that helps coordinate EU-wide regulatory activity, said today that it adopted its first decision under Article 65 – referring to a mechanism to settle a dispute between the European Union’s group of data supervisors. This means that a majority of at least two-thirds of data protection authorities in the European Union have supported the settlement.
The European Data Protection Council said in a statement: “On 9 November 2020, the European Data Protection Council adopted its binding decision, and will soon formally communicate it to the Irish supervisory authority.”
The council also said: “The Irish supervisory authority must adopt its final decision on the basis of the European Data Protection Council decision, which will be directed to the controller, without undue delay, and no later than one month after notifying the European Data Protection Council of its decision.”
Details of any penalties that Twitter could face – such as a fine – have yet to be confirmed. But the end of the process is now in sight.