The level of penalty was confirmed by the European Data Protection Board (EDPB) after a dispute arose between the Irish Data Protection Commission (DPC) and other data protection authorities across Europe over the Irish authority's approach to enforcement in the case.
It is the first time the EDPB has had to step in to resolve such a dispute between data protection authorities (DPAs).
The GDPR provides a so-called 'one stop shop' mechanism of regulation and enforcement, meaning businesses need only deal with one DPA instead of 27 different DPAs across all EU member states. However, the Regulation makes provision for the cooperation of DPAs in cases where alleged infringement occurs in more than one jurisdiction. In such cases, the lead supervisory authority – here, the DPC in Ireland where Twitter has its European headquarters – must enter into dialogue with the other DPAs in the countries where data subjects have been impacted. While the responsibility for investigation alleged infringement sits with the lead authority, the Regulation gives the other DPAs scope to input to the enquiries and to raise 'relevant and reasoned' objections against proposed decisions of the lead authority.
The powers of the EDPB to issue a binding decision in cross-border enforcement cases arise under Article 65(1)(a) of the GDPR and apply where the lead authority rejects the objections raised but another DPA continues to stand behind them.
In this case, the Irish DPC came to a draft decision earlier this year. It consulted on that decision with all other national DPAs, but DPAs in eight EU member states raised objections, including DPAs in France, Germany, the Netherlands and Spain. Although the DPC was able to resolve some of the objections in its response, including those raised by Denmark's DPA, there were remaining objections, requiring the DPC to refer the case to the EDPB to resolve.
In its decision, the EDPB confirmed the DPC's draft decision, ruling that the objections raised by the other DPAs did not meet the required standard of being "relevant and reasoned" – in essence determining that the objecting DPAs had failed to clearly demonstrate that there were significant risks posed by the DPC's draft decision as regards the fundamental rights and freedoms of data subjects, as required by the GDPR.