By Sam Schechner
European Union privacy regulators are clashing over how much -- if anything -- to fine Twitter Inc. for its handling of a data breach disclosed last year, delaying progress of the most advanced cross-border privacy case involving a U.S. tech company under the EU's strict new privacy law.
The dispute, disclosed in a statement Thursday from Ireland's Data Protection Commission, is one of the first major tests for enforcement of the EU's privacy law, known as GDPR, which took effect in 2018. It raises the specter of disagreements and delays in nearly two dozen other investigations into Facebook Inc., Alphabet Inc.'s Google and other U.S. tech companies under the law. Those investigations are led by Ireland's data commission because the companies have regional headquarters in Ireland, but its counterpart regulators in all 26 other EU countries can object in cases that involve them.
The Irish privacy regulator said Thursday that it had triggered a dispute-resolution mechanism among the bloc's privacy regulators after failing to resolve disagreements over its draft decision in the Twitter case -- the first time that process has been started.
The Twitter case is a bellwether because it is the first in which Ireland's data commission forwarded a draft decision to its counterparts for comments, which it did in May. The case concerns a security hole that Twitter said it fixed in January 2019 that, over a period of more than four years, exposed the private tweets of some users.
Ireland's data commission said in its 2019 annual report that the focus of the case is on whether Twitter fulfilled its obligation for a timely notification of the breach.
Twitter didn't immediately respond to a request for comment.
The Irish regulator declined to comment on which counterparts had objected to its proposed decision, or on what grounds, but objections could relate both to its substance and the amount of the fine.
Under the EU's GDPR, regulators can fine companies up to 2% of their world-wide annual revenue for failing to notify them of a data breach within 72 hours, which could reach up to $69 million, based on Twitter's 2019 revenue. The law however directs regulators to take into account the gravity and duration of the violation, the type of personal information at issue and other factors, such as whether the violation was intentional or was part of a broader pattern.
Ireland's data commission "engaged in a consultation process with" other regulators to resolve their complaints," said Graham Doyle, a deputy commissioner. "However, following consultation a number of objections were maintained and the DPC has now referred the matter to the European Data Protection Board," the body representing all EU privacy regulators, he said.
A spokeswoman for the EDPB didn't immediately respond to a request for comment.
The eventual outcome of the Twitter case will offer the first indication of how the EU's power-sharing system among regulators will work in practice. Under the law, in cases that involve multiple countries, the lead regulator, such as Ireland's data commission, sends its draft decision to counterparts. They have four weeks to submit "relevant and reasoned" objections. There is additional time left to approve revisions based on those objections
Any disagreements the regulators can't resolve can be referred to the European Data Protection Board, which decides in a vote. That process runs for one month, but can be extended to two, and then again by two weeks. Once the board approves a decision, the lead regulator informs the company within a month, according to the text of the law.
Write to Sam Schechner at sam.schechner@wsj.com