RegSol Blog

Data Protection Commissioner Issues Draft Decision Against Twitter

May 2020

The Irish Data Protection Commission (DPC) submitted a draft decision on the 22 May to other concerned Supervisory Authorities, in accordance with Article 60 of the GDPR, in relation to an inquiry it has completed into Twitter International Company, a data controller based in Ireland. 

This was initiated by the DPC following receipt of a data breach notification from the controller. The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 2Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”

This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies, including WhatsApp Ireland Limited. The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.

The DPC has also completed the investigation phase of a complaint-based inquiry which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing. This inquiry is now in the decision-making phase at the DPC.

By Judy de Castro - Regulatory Consultant