Some European Union regulators objected to Ireland’s preliminary ruling in a landmark privacy investigation of Twitter, the lead regulator said on Thursday, triggering a process where a majority decision will be sought.
Twitter had looked set to become the first big technology company to face a fine by Ireland’s Data Protection Commission (DPC) under tougher EU data protection rules after it submitted the decision to other member states in May.
Under the EU’s General Data Protection Regulation’s (GDPR) “One Stop Shop” regime introduced in 2018, regulators can impose fines for violations of up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher.
Ireland hosts the European headquarters of a number of U.S. technology companies, making its the EU’s lead regulator for firms including Twitter, Facebook, Apple and Google.
But it must share its preliminary decision with all concerned EU supervisory authorities (CSAs) and consider their views in its final verdict.
“A number of objections were raised by CSAs and the DPC engaged in a consultation process with them,” Graham Doyle, Deputy Commissioner at the Irish DPC, said in a statement.
As a number of objections were maintained, the DPC has now referred the matter to the European Data Protection Board (EDPB), he added.
The EDPB now has one month to reach a two-thirds majority among member states and if that fails, a further month to seek an absolute majority. If it still can’t find agreement, the chair of the board will cast the deciding vote.
The Twitter ruling relates to a bug in its Android app where some users’ protected tweets were made public, and whether it notified the regulator in a timely manner. The DPC had 20 other probes open into big technology firms at the end of 2019.