Twitter fined by Irish data regulator over GDPR breach
15 December 2020, 12:04
The social media platform has accepted a 450,000 euro (£411,000) fine for failing to notify the regulator of a breach in good time.
Twitter has been fined 450,000 euro (£411,000) by the Irish Data Protection Commission (DPC) in a landmark ruling over a violation of European data privacy rules.
The social media platform has accepted the fine from the DPC for failing to alert the regulator of a breach in good time – a key part of the General Data Protection Regulation (GDPR), introduced in 2018.
It is the first major fine issued by the regulator to a US tech giant for a breach of GDPR since the new rules were introduced.
The fine has come from Dublin as Twitter has its European headquarters in Ireland, making the DPC its lead regulator in Europe.
Data Protection Commission announces decision in Twitter inquiry https://t.co/Ybeatszm9q pic.twitter.com/YQLkRBnsM9
— Data Protection Commission Ireland (@DPCIreland) December 15, 2020
The ruling relates to an incident publicly disclosed in early 2019 where a security glitch had made some users’ private tweets public, and Twitter failed to send a breach notification to the DPC within 72 hours of its discovery of such an event, as is required under GDPR.
The regulator said the penalty was an “effective, proportionate and dissuasive measure”.
Responding to the fine, Twitter said it respected the DPC’s decision and had made changes in response to the incident.
“Twitter worked closely with the Irish Data Protection Commission (@DPCIreland) to support their investigation. We have a shared commitment to online security and privacy, and we respect their decision, which relates to a failure in our incident response process,” Twitter said in a statement posted to the platform.
“An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying @DPCIreland outside the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to them in a timely fashion.
Twitter worked closely with the Irish Data Protection Commission ( @DPCIreland ) to support their investigation. We have a shared commitment to online security and privacy, and we respect their decision, which relates to a failure in our incident response process.
— Twitter Comms (@TwitterComms) December 15, 2020
“We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We’re sorry it happened.
“We appreciate the clarity this decision brings for companies and the public around the GDPR’s breach notification requirements.
“As always, our approach to these incidents will remain one of committed transparency and openness.”
