Twitter issued with GDPR fine from Irish regulator

The DPC began an investigation in January 2019 after Twitter, which has its European base in Dublin, notified the regulator of a data breach discovered in December 2018.

The breach resulted from a design bug which led to protected tweets becoming accessible to the wider public if a user on an Android device changed the email address associated with their Twitter account.

An external Twitter contractor discovered the bug on Boxing Day 2018 and Twitter disclosed the issue to the DPC on 8 January 2019.

The regulator found that the social network failed to notify the breach on time. Under GPDR, organisations must report data breaches within 72 hours. Twitter was also penalised for failing to adequately document the breach.

“The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure”, the regulator wrote in a press release.

The penalty is the first issued by the Dublin-based DPC against a tech giant.

The draft decision on the inquiry was also the first in which all European data protection authorities were consulted under Article 65 of the GDPR, or the ‘dispute resolution’ process. The DPC triggered the mechanism after its initial draft decision attracted objections from other data authorities over the size of the fine.

Damien Kieran, chief privacy officer and global data protection officer at Twitter, said: “An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion. 

“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur.”