German data protection officers in particular have long been waiting for extensive decisions against the “big data octopuses” from the USA on the basis of the General Data Protection Regulation (GDPR). The Irish data protection authority, which is usually responsible for the large tech groups, has announced on Friday that it has made a first relevant case regarding an unspecified data breach on Twitter.
Don’t miss any news! With our daily newsletter you will receive all heise online news from the past 24 hours every morning.
Subscribe to the newsletter now
Deadlines and measures
The main issue in the dispute is whether the operator of the social network reported the leak in good time within 72 hours and adequately documented the violation and the remedial measures taken.
The Dublin Data Protection Commission (DPC) has according to their own information sent a draft decision to the European Data Protection Board (EDPS) to coordinate it with the supervisory authorities of the other EU member states. A high penalty could soon be imposed on Twitter: The GDPR provides for fines of up to EUR 20 million or four percent of a company’s annual turnover.
WhatsApp, Facebook, Instagram
In addition, a preliminary draft decision was sent to WhatsApp this week, said Irish Data Protection Officer Graham Doyle. The provider of the messenger service still has the opportunity to comment on the allegations. The DPC will take the feedback into account in its final proposal and then also inform the EDSA.
With the WhatsApp belonging to Facebook, the authority is investigating whether the group has complied with the broad information requirements of Articles 12 to 14 GDPR. Part of the case is the question of whether WhatsApp has given users sufficiently transparent information about which data flows to the parent company.
The DPC has also completed an investigation into how Facebook processes personal data. This is where the decision-making phase has started. In another case, she sent drafts for investigation reports to the complainants and the companies concerned on WhatsApp and another on Instagram, which also belongs to Facebook.
The announcements were made shortly before the cut-off date on Monday, on which the GDPR had been in effect for two years. On Thursday, the DPC had already announced that it had imposed its first sanction on the basis of the GDPR. However, this did not affect a technology group, but the national child and family authority Tusla.
The Federal Data Protection Officer Ulrich Kelber and some of his colleagues have been trying to hunt the Irish on Facebook & Co. for a long time. The DPC decides on data breaches by many US Internet companies because they have their European headquarters in Ireland. However, it is considered to be chronically understaffed and progresses very slowly in the proceedings it initiated. In February, the EDSA called for cooperation in this area to be urgently improved.
GDPR: previous penalties
Since the GDPR came into force, only two fines have been imposed on large internet companies: Hamburg controller Johannes Caspar fined the German Facebook subsidiary a fine of 51,000 euros for not informing him of the change in its data protection officer. The French data protection authority CNIL also paid Google 50 million euros because it lacked effective consent and transparency.