Twitter paid a penalty of €450,000 ($544,600) for its General Data Protection Regulation (GDPR) violation. Ireland’s Data Protection Commission (DPC) issued a penalty that is related to the privacy breach report submitted by Twitter last January 2019.
On January 8, 2019, Twitter International Company sent to the DPC a breach notification letter. On January 22, 2019, DPC began an investigation of Twitter to determine if it is GDPR-compliant.
On December 26, 2018, Twitter became aware of the issue after being notified by a researcher. It’s about the option given to Twitter users to secure their Tweets or not. Only specific groups, individuals, or followers can see protected Tweets while anybody can see unprotected tweets.
A bug in the system caused protected Tweets to become unprotected without the knowledge of the user. This happens if a user modifies his/her email address linked to their Twitter account via an Android gadget. Twitter discovered that the bug came up on November 4, 2014. However, there’s no information regarding which users the bug affected prior to September 5, 2017. Twitter fixed the problem on January 11, 2019 after impacting 88,726 users from the EU and EEA between September 5, 2017 and January 11, 2019.
As per Article 33(1) of the GDPR, organizations are required to submit a data breach report to the proper Data Protection Authority within 72 hours after discovering a breach. The Irish DPC learned that Twitter committed a violation of this GDPR rule. As per Article 33(5) of the GDPR, organizations are required to document a breach, including the information affected and the measures taken to respond to the breach. The documentation will become the basis of the data protection controller when evaluating compliance. The DPC discovered that Twitter was lacking in proper documentation of the breach.
DPC decided to issue a financial penalty to Twitter as it was the proper, proportionate, and dissuasive action. Twitter fully cooperated with DPC’s investigation and acknowledged its inability to comply with the correct process of incident response. Twitter attributed the failure to an unforeseen staffing issue between Christmas Day 2018 and New Years’ Day. Hence, Twitter failed to give IDPC a prompt breach notification. Twitter already put in place the essential adjustments to be able to report to the DPC all future incidents promptly.
For the first time, the Irish GDPR watchdog issued a cross-border penalty. It’s a hefty penalty however it is merely a small fraction of the maximum penalty that can be issued. For every GDPR violation, the maximum penalty that may be issued is €20 million ($24.2 million) or 4% of global annual revenue, whichever is greater.
Twitter could have been issued a maximum financial penalty of €138 million or $168 million, which is only 0.1% of its 2019 global annual revenue.