Two and a half years after the new data protection law of the European Union came into force, the first fine was imposed on an American technology company in an international case, which according to critics should already have happened.
The Irish Data Protection Commission announced Tuesday (15) a fine of $ 546,000 (R $ 2.7 million) against Twittter for failing to properly document or notify the regulator within 72 hours. on the discovery of a data breach detected in January 2019 that exposed some users’ private tweets.
Twitter did not immediately respond to a request for comment.
The case serves as a reference as it is the first in a long line of data breach cases involving large American tech companies in Ireland, including Facebook, Apple and Google, the Alphabet Group. The Irish Data Commission oversees the General Data Protection Regulation (GDPR) for these and other American companies whose regional headquarters are in the country.
It took almost two years for the Irish Commission to reach a decision on Twitter that included almost five months of disputes over jurisdiction, scope of investigation and fine between the Commission and its counterparts in other European Union countries. . This is fueling the frustration of some data protection activists and data protection authorities in the European Union at the slowness of the bloc’s actions.
“We are reaching a tipping point where GDPR really needs to start producing results,” said David Martin, Legal Director of Beuc, an alliance that brings together European consumer rights organizations and strongly supports consumer law. Privacy. “The credibility of the whole system will be compromised if the inspection does not improve.”
One sign of that frustration is that some other regulators are starting to prosecute their data breach cases based on laws other than GDPR, said Paul Nemitz, chief judicial policy advisor at the European Commission, the European Commission’s executive arm. European Union.
Last week, CNIL, the organization that governs French privacy laws, fined Google and Amazon a total of $ 163 million ($ 824 million) for violating a separate rule, the ePrivacy Policy. This enabled CNIL to circumvent the rules of the GDPR and provide for the separation of powers with other regulators in the European Union known as “one-stop-shop”.
“It is important that the Action Coordinating Authority for Google and other technology companies apply the GDPR appropriately to ensure the functioning of the one-stop-shop system,” said Nemitz.
Helen Dixon, the head of the Irish Data Protection Commission responsible for the application of the GDPR at Google, said that the application of the GDPR and the division of powers between organizations was a work in progress and that her organization was leading its cases in a methodical way to ensure that their decisions stand up to legal challenges.
“Am I satisfied? No, the process didn’t work very well. I think it took too long, “Dixon said in an interview aired at a technology conference earlier this month about the case against Twitter. “On the other hand, it is the first time that the European Union’s data protection authorities have fully implemented the process and maybe things will only improve after that.”
An Irish commission spokesman said his decision was the first to go through the GDPR dispute settlement process and that it was the first time the data protection authority in the European Union had consulted all of its counterparties within the GDPR on a decision of a large Union Technology company.
Translation by Paulo Migliacci