Out-Law / Your Daily Need-To-Know

Twitter faces Irish inquiry over data breaches

Out-Law News | 21 Dec 2018 | 1:06 pm | 1 min. read

Twitter's compliance with the General Data Protection Regulation (GDPR) is being scrutinised in Ireland.

Ireland's data protection authority, the Data Protection Commission (DPC), announced earlier this week that it opened a "statutory inquiry" into the company in November.

The probe will look into "Twitter’s compliance with the relevant provisions of the GDPR following receipt of a number of breach notifications from the company since the introduction of the GDPR", the DPC said in a short statement.

Dublin-based data protection law expert Ann Henry of Pinsent Masons, the law firm behind Out-law.com, said: "This is a story to watch for 2019.  Whilst the details so far are scant, clearly there is concern in the Irish DPC, hence the inquiry and announcement."

Twitter was already being investigated by the DPC for its handling of a subject access request, according to an October report by the Daily Telegraph.

According to a report by Bank Info Security, the DPC had, as of 17 December, received 3,105 data breach reports from organisations since the GDPR took effect on 25 May this year. The DPC said the average number of data breach reports it receives a month is 500, compared with 230 a month throughout 2017. More than 8,000 data breaches have been notified to the UK's Information Commissioner's Office (ICO) since the GDPR began to apply.

The GDPR introduced, for the first time, a general obligation on organisations to disclose when they have experienced a major personal data breach to data protection authorities, and in some cases to people potentially impacted by the breach too. Previously mandatory data breach notifications only applied in a select few sectors, such as telecoms and banking.

The GDPR obliges organisations to disclose any breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities "without undue delay and, where feasible, not later than 72 hours after having become aware of it ... unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons".

In addition, where there is a high risk of damage arising to the data subject then the data subjects must be informed directly without undue delay.