Irish DPC submits Article 60 draft decision on inquiry into Twitter International Company’s compliance with Articles 33(1) and 33(5) of the GDPR.

The Irish Data Protection Commission (DPC) has today submitted a draft decision to other concerned Supervisory Authorities, in accordance with Article 60 of the GDPR, in relation to an inquiry it has completed into Twitter International Company, a data controller based in Ireland. This own-volition inquiry was commenced by the DPC following receipt of a data breach notification from the controller. The draft decision focusses on whether Twitter International Company has complied with Articles 33(1) and 33(5) of the GDPR.

This draft decision is one of a number of significant developments in DPC inquiries into “big tech” companies this week. Deputy Commissioner Graham Doyle has confirmed that: “In addition to submitting this draft decision to other EU supervisory authorities, we have this week sent a preliminary draft decision to WhatsApp Ireland Limited for their final submissions which will be taken in to account by the DPC before preparing a draft decision in that matter also for Article 60 purposes.  The inquiry into WhatsApp Ireland examines its compliance with Articles 12 to 14 of the GDPR in terms of transparency including in relation to transparency around what information is shared with Facebook.“

The DPC has also completed the investigation phase of a complaint-based inquiry which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing. This inquiry is now in the decision-making phase at the DPC.

The DPC has also sent draft inquiry reports to the complainants and companies concerned in two further “big tech” inquiries – these inquiries concern the Instagram and WhatsApp platforms respectively.

The DPC yesterday issued a second decision that applies corrective measures which include a fine under the GDPR against Tusla, the Child and Family Agency, following completion of an inquiry commenced in November 2019 and Tusla now have 28 days to appeal this decision.

Further, the CJEU announced on 14 May that it will deliver its judgement in the case of Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Case C-311/18) on 16 July. The case concerns proceedings initiated and pursued in the Irish High Court by the DPC which raised a number of significant questions about the regulation of international data transfers under EU data protection law. The judgement from the CJEU on foot of the reference made arising from these proceedings is anticipated to bring much needed clarity to aspects of the law and to represent a milestone in the law on international transfers.

Original Post