Advertisement
Irish DPA Issues €450,000 Fine Against Twitter for Data Breach Following EDPB Decision under the GDPR Consistency Mechanism Thursday, December 17, 2020
On December 15, 2020, the Irish Data Protection Commission (“DPC”) announced its fine of €450,000 against Twitter International Company (“Twitter”), following its investigation into a breach resulting from a bug in Twitter’s design. The fine is the largest issued by the Irish DPC under the EU General Data Protection Regulation (“GDPR”) to date and is also its first against a U.S.-based organization.
The bug in question resulted in protected tweets being changed to unprotected tweets, making them widely available to the public without the user’s knowledge. This bug impacted Twitter users on Android devices who had changed the email address associated with their Twitter accounts. Twitter estimated that 88,726 Twitter users in Europe were affected between September 5, 2017 and January 11,
The French data protection authority’s
decisions cite violations of the cookie rules under the ePrivacy Directive and provide important insights on explicit consent.
Between December 2019 and May 2020, the French data protection authority (CNIL) conducted multiple online investigations by visiting google.fr and amazon.fr, before launching a full-scale investigation into Google LLC, Google Ireland, and Amazon Europe Core. On 7 December 2020, the CNIL handed down two decisions, one against Google LLC (€60 million fine) and Google Ireland (€40 million fine), and another against Amazon Europe Core (€35 million fine). Contrary to a previous sanction against Google LLC, which was triggered by specific complaints about its practices, the CNIL’s decisions indicate that the investigations were launched
Introduction
With its decision of 9 November 2020 (72/2020), the Litigation Chamber of the Data Protection Authority (DPA) provided welcome clarifications concerning the validity of employee consent (Article 4.11 and Recital 43 of the EU General Data Protection Regulation (GDPR)). The Litigation Chamber also gave practical guidelines concerning the purpose limitation principle (Article 5(1)(b) of the GDPR).
In the case at hand, the DPA decided that:
the free consent of employees was possible and could be valid if all other conditions of Article 4.11 of the GDPR were fulfilled; and
the data was collected for a specified and legitimate purpose but the purpose of the processing was not explicit.
The European Commission finally approved Google’s acquisition of Fitbit yesterday, adding some conditions intended to protect user privacy and competition, although campaigners are disappointed in the decision.
The Commission has been mulling the $2.1bn acquisition of the fitness monitoring giant for several months, as distrust over Google’s handling of data and alleged anti-competitive practices is high in the region.
In February, the advisory European Data Protection Board raised concerns about the possibility of the tech giant accessing health and fitness data on tens of millions of users.
“There are concerns that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data,” it noted.
To print this article, all you need is to be registered or login on Mondaq.com.
With Brexit on the horizon, potential changes to data
transfer laws raise the spectre of disruption to personal data
transfers from the European Economic Area (EEA) to the UK.
From 1 January 2021, the UK will be considered a third country
outside of the EEA for the purposes of the General Data Protection
Regulation (EU) 2016/679 (GDPR). Ahead of this deadline, businesses
should start thinking pragmatically about personal data transfers
from the EEA to the UK to ensure a frictionless transition in case
a European Commission adequacy decision is delayed, or