The Irish Data Protection Commission (DPC) disclosed that Twitter will be fined 450,000 euros due to the data breach disclosed in January 2019. It is understood that the company failed to promptly notify the regulatory agency within 72 hours of discovering the violation, and fully record the data breach.
Because the international headquarters of Twitter and many American technology giants are located in Ireland, the investigation is conducted by the Irish DPC. After the EU’s General Data Protection Regulation (GDPR) took effect in May 2018, this case was the first cross-border case in which a US technology company was punished for violating the law.
It is reported that after the incident, Twitter disclosed a vulnerability in its “Protect your tweets” function. At the time, the company said that some Android users who used the above-mentioned functions may have exposed their undisclosed tweets on the Internet as early as 2014.
“The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure,” the regulator writes in a press release.
Damien Kieran said, Twitter’s chief privacy officer, and global data protection officer:
Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation. We have a shared commitment to online security and privacy, and we respect the IDPC’s decision, which relates to a failure in our incident response process. An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.
We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.