Ireland’s Data Protection Commission, DPC has issued the social media platform Twitter with a fine of €450,000 (~$547,000) for failing to declare promptly and adequately document a data breach under Europe’s General Data Protection Regulation (GDPR).
The decision is noteworthy as it’s the first such cross-border GDPR decision by the Irish watchdog, which is the main lead EU privacy supervisor for several tech giants having a backlog of some 20+ ongoing cases at this point, including active probes of Facebook, WhatsApp, Google, Apple and LinkedIn, to name a few.
“The DPC’s investigation commenced in January 2019 following receipt of a breach notification from the platform, and the DPC has found that the social media platform, Twitter infringed Article 33(1) and 33(5) of GDPR in terms of a failure to notify the breach well on time to the DPC and a failure to document to the violation adequately.
The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate, and dissuasive measure,” the regulator writes in a press release.
The GDPR requires most personal data breaches to be notified to the relevant supervisory authority within the 72 hours of the controller becoming aware of the breach.
The regulation also requires they document what data was involved and how they’ve responded to the security incident so that the relevant data supervisor can check against compliance.
Twitter Fined Of $550k Over Data Breaching
In this case, Twitter was found to have really failed on both counts. We’ve reached out to the social media company for comment, including asking whether it plans to accept the decision and also pay up or if it’s considering its legal options.
The company also told us that since this specific incident, where inadequate staffing over the year 2018 holiday period that led to a delay in the reporting that breach, it has made all relevant incident reports to the DPC within the required 72 hour period.
The DPC’s decision relates to a breach that Twitter publicly disclosed in January 2019 — when it said a bug in its ‘Protect your tweets’ feature could have meant some Android users who’d applied the setting to make their tweets non-public might have had their personal data exposed to the public Internet since as far back as the year 2014.
Since fessing up to the ‘Protect your tweets’ bug, Twitter has had plenty more egg on its face where security is concerned, including suffering a high-profile account hijacking episode earlier this year, after crypto-scam-spreading hackers gained network access credentials using a social engineering technique.