Twitter is penalized with €450,000 ($544,600) for violating the EU’s General Data Protection Regulation (GDPR). The Data Protection Commission (DPC) in Ireland issued the fine in connection with Twitter’s privacy breach report to the DPC in January 2019.
On January 8, 2019, the DPC got a breach notification from Twitter International Company that prompted an investigation on January 22, 2019 to know if Twitter complied with the GDPR.
A researcher notified Twitter on December 26, 2018 about its issue. Twitter users are presented with the option to protect their Tweets or not. Protected Tweets can only be viewed by a specific set of people or followers. Unprotected tweets are publicly viewable by anybody.
Because of a bug, protected Tweets became unprotected without the user knowing about it. This happens when a user changes his/her email address connected with their Twitter account using an Android device. Twitter learned that the bug appeared on November 4, 2014 but didn’t know who among its users were impacted before September 5, 2017. The problem was fixed on January 11, 2019. The bug affected 88,726 EU and EEA users from September 5, 2017 to January 11, 2019.
Under Article 33(1) of the GDPR, companies need to report a data breach to the appropriate Data Protection Authority in 72 hours after its discovery. The Irish DPC discovered that Twitter violated this GDPR terms. As per Article 33(5) of the GDPR, companies should make a documentation of a breach and specify the information compromised. Measures taken to resolve the breach should also be logged to help the data protection controller in assessing compliance. The DPC determined that Twitter did not have enough documentation of its breach.
DPC deemed that a financial penalty was fitting to have “an effective, proportionate, and dissuasive measure. Twitter cooperated with the investigation of DPC and accepted its failure to comply with the proper incident response process. The failure was due to an unexpected staffing from Christmas Day 2018 to New Years’ Day, so Twitter was unable to notify the IDPC within the 72-hour required notice period. Twitter already implemented the necessary changes so that all subsequent incidents are reported promptly to the DPC.
This is the Irish GDPR watchdog’s first cross-border penalty issued. It’s a sizable penalty but it is just a tiny percentage of the penalty that could have been issued. A GDPR violation may be issued a maximum penalty of €20 million ($24.2 million) or 4% of global yearly income, whichever is higher.
Twitter’s maximum financial penalty could have been €138 million or $168 million. That is just about 0.1% of its global yearly income for 2019.