So, the day everyone in Ireland with a passing interest in data protection has been waiting for finally arrived yesterday. December 15th, 2020 brought an early Christmas present for us all as the Data Protection Commission published its first decision into the data processing activities of one of the many multinational companies based in Ireland. And there are a few key takeaways from the DPC’s Twitter fine decision.
On the same day, the DPC was also up against Facebook in the High Court where Facebook is hoping to quash the decision from the DPC preventing its transfers of personal data to the US in the wake of this summer’s Schrems II decisions.
What exactly is the DPC fining Twitter for?
If you read the headlines, it looks like the DPC’s fined Twitter €450,000 for a bug that made private tweets public going back to 2014. But, if you read the 188-page decision, you will see the Twitter fine actually related to a failure of accountability as laid down in the foundations of GDPR. There were primarily two failures:
- Not meeting the 72 hours deadline
- Not documenting the decisions associated with the breach.
You are probably wondering, as a DPO working with many organisations routinely assessing breach and sending notifications to the DPC: what can I learn?
Background to the incident that led to the Twitter fine
The DPC’s decision relates to a breach Twitter publicly disclosed in January 2019 when it disclosed a bug in its “protect your tweets” feature. This meant that Android users had non-public tweets made public when they changed their email addresses for several years. Twitter has accepted that it made private users’ content public that they specifically wanted private. This was an unauthorised disclosure and rose to the level of a personal data breach requiring notification to a supervisory authority.
The GDPR requires breaches of personal data to be notified to the relevant supervisory authority within 72 hours of the controller becoming aware of the breach. The GDPR also requires you to document what data was involved and how you have responded to the security incident. This way, the relevant data supervisor can check this against compliance.
In this case, Twitter was found to have failed on both counts. This is the reason for the DPC’s Twitter fine.
The clock is ticking… when the rules say 72 hours, they mean it
To be able to meet the 72-hour deadline for reporting to a supervisory authority, you need to have a robust set of internal processing procedures in place. This includes making sure that your information security team know how to asses an issue for privacy impacts and escalate accordingly.
And even if it’s a new year and it’s a holiday, it really doesn’t matter. Your obligations to data subjects extend to every day whether its Christmas or New Year’s Day or any other holiday.
Twitter’s DPO notified the DPC within 19 hours of being made aware of the issue. However, that was almost 12 days after the initial report. Why did it take the company that long to make its DPO aware of the issue?
- The initial notification was made to Twitter Inc acting as a processor on their behalf from an external contractor
- The issue was classified low risk and not identified as a privacy issue fast enough
- The DPO was not added to the help desk ticket
- It was Christmas holiday time.
The DPC rejected all excuses making it clear Twitter was responsible for the actions of their processors. The 72 hours does not start when your processor contacts you, it starts when they know it’s a personal data breach.
So, here’s our advice:
- Pull out all those data protection agreements and check how long you have given your processors to inform you of security incidents (hint: it should be right now, immediately, and no later than 24 hours)
- Check your incident management plan includes identifying and prioritising privacy incidents and notifying your DPO as soon as possible
Keep a record of every decision, every meeting, every conversation including oral notifications, and make your incident management report as detailed as possible. Pay particular attention to your risk assessment methodology and your analysis of the risk to data subjects.
You need to record all the facts of the breach including the exact time you were informed of it, all the actions taken including remedial actions and the affects the breach could have on data subjects. Ask yourself is your risk assessment methodology robust enough to stand up to the type of scrutiny the DPC put Twitter under?
The DPC did not consider all the various pieces of documentation Twitter provided (mostly tickets from its helpdesk system) to be sufficient. It considered them too general in nature and they did not meet the requirements of the GDPR allowing the DPC “to verify compliance.”
So, check the information you are documenting and include:
- Details of the event/incident that occurred and assessment of whether it led to the ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data…”
- Assessment of the personal data breached, describing the categories and types of personal data and the purposes for which it was processed
- An assessment of the risk and if it rises to the level requiring notification to data subjects
- If your notification is late, explain the reasons for the delay and the factors involved
- If processors are involved, document how they complied with their obligations to inform the controller “without undue delay”
- Keep a register of personal data breaches which includes the consequences of the breach and the measures taken to mitigate against the adverse effects to data subjects
- Detailed information including timings of how knowledge and information on the breach evolved.
What to take away
The timeline does not start to run at the point when your processor informs you. So, if your contract gives them 72 hours, you have already failed.
The winter holiday season is soon to be upon us, but Helen Dixon is clear on this one. “Potential risks to the data protection and privacy rights of data subjects cannot be neglected, even for a limited period of days, simply because it is an official holiday day/period or a weekend,” she said. So ask yourself as businesses are winding down for Christmas – have we a plan in place to deal with a personal data breach during the festive period?