Ireland’s Data Protection Commission (DPC) has concluded its investigation into Twitter and the expectation is that the tech giant will face its first penalty under the EU's General Data Protection Regulation (GDPR). The DPC is in charge of monitoring that Twitter is complying with GDPR (as its European operations are based in Ireland due to its low tax rates for technology companies).
On 17 January 2019 Twitter disclosed that it had accidently revealed some users ‘protected’ (private) tweets. As a result of a bug in the ‘Protect your Tweets’ setting, (which allows people to use Twitter in a non-public fashion), some Android users over a period of several years, had their tweets made public.
Twitter revealed that users may have been impacted by the problem if they made certain account changes between 3 November 2014 and 14 January 2019 - the day the bug was fixed. This is a sizable mistake on Twitter’s part, as it essentially made available to the public content that users had explicitly indicated they wanted to keep private. The expectation is that this error could result in a massive GDPR financial penalty for Twitter for the data breach violation.
The new data protection regime came into force in the EU on 18 May 2018 meaning the 2014-2019 breach falls under the GDPR, an EU-wide regulation controlling how companies and other organisations handle personal data. It is the most significant initiative on data protection in 20 years and has major implications for any organisation in the world, serving individuals from the EU.
To give people control over how their data is used and to protect ‘fundamental rights and freedoms of natural persons’, the legislation sets out strict requirements on data handling procedures, transparency, documentation and user consent.
GDPR places a legal obligation on data controllers to adequately protect personal data. Financial penalties for violations of the framework can scale up to 4% of a company's annual global turnover. The largest UK GDPR fine in the UK to date remains the Information Commissioner’s Office (ICO) Notice of Intent to fine British Airways (BA) £183.39 million on 8 July 2019. While the Notice of Intent, as the name suggests, is not a final decision by the ICO, it is the first step towards the Commission imposing a heavy civil monetary penalty.
In the UK, misdirected emails have been the primary cause of data loss reported to the ICO. More and more GDPR fines are being issued and, as of July 2020, around 330 fines have been handed out for violations.
Gaining knowledge about the impact of the GDPR on your business is critical. Over the next three weeks Nusrat Qureishi, a solicitor in our commercial department, will be reviewing what the GDPR is and how it will impact business post-Brexit.
If you are in doubt of your obligations, please contact Nusrat Qureishi in our commercial department for further advice on email: nxq@cooperburnett.com or tel: 01892 515022.
This blog is not intended as legal advice that can be relied upon and CooperBurnett does not accept any responsibility for the accuracy of its contents.
