Twitter has been told to pay a €450,000 GDPR fine by Ireland’s data regulator for failing to report a 2018 data breach in the legally required timeframe.
In January 2019 the social media platform disclosed a bug that exposed the protected tweets of some Android users between 3 November 2014 and 14 January 2019.
Twitter discovered the security flaw in December 2018 but did not report it to Ireland’s Data Protection Commission (DPC) until the following month. Under the GDPR, companies must notify the relevant authority within 72 hours of discovering a breach.
The DPC also determined that Twitter failed to adequately document the breach, another requirement under GDPR.
In a statement, Twitter said: “An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying DPC Ireland outside the 72-hour statutory notice period.
“We have made changes so that all incidents following this have been reported to them in a timely fashion.”
“We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We’re sorry it happened.”
Twitter worked closely with the Irish Data Protection Commission (@DPCIreland) to support their investigation. We have a shared commitment to online security and privacy, and we respect their decision, which relates to a failure in our incident response process.
— Twitter Comms (@TwitterComms) December 15, 2020
It marks the first case where a US tech firm has been hit by a GDPR fine in a cross-border case. This meant the DPC consulted other data regulators in the EU when making its decision.
The DPC had wanted to fine Twitter for a smaller amount because it believed the breach to be an isolated incident of negligence. However, German, Austrian and Italian regulators successfully argued that the fine was too low.
Companies can be fined a maximum of 4% of annual turnover for the most serious data breaches. In 2019 Twitter’s revenue stood at $3.46bn.
The DPC has a number of open cases on US tech giants, including Facebook, WhatsApp, Google and Apple.
Rafi Azim-Khan, head of Europe data privacy at Pillsbury Law, said the Twitter GDPR fine shatters the myth that Ireland is a safe haven for tech companies to set up their headquarters.
“As a number of tech companies and big businesses have moved to, or set up, their EU headquarters in Ireland, there has been a growing myth amongst some commentators that this was a jurisdiction with no enforcement or was some kind of legal ‘safe haven’. This myth has now been dispelled,” he said.
Darren Wray, CTO at data privacy firm Guardum said the Twitter fine shows that the GDPR’s “teeth are getting sharper”.
“All companies need to ensure that they are maintaining their compliance in the most efficient and effective ways. GDPR is no longer the new kid on the block and there are many other countries and indeed US states who are following the EU’s lead in implementing and updating their data privacy regulations,” he added.
Read more: UK government publishes Online Harms Bill