Twitter Fined $547K for Privacy Breach Under EU Law

Ireland's data regulator has fined Twitter $547,000 over a bug that made some private tweets public, in the first sanction against a US firm under a new European Union data privacy system.

The EU's General Data Protection Regulation's (GDPR) "One Stop Shop" regime makes Ireland's Data Protection Commission lead regulator of Twitter, Facebook, Apple, and Google in the bloc, due to the location of their EU headquarters.

The 450,000-euro fine marked a milestone in the enforcement of the EU’s General Data Protection Regulation, a 2018 law meant to give Europeans more control over their online data.

Ireland’s Data Protection Commission said Twitter took too long to notify regulators about a bug in its Android app that made some users’ private tweets publicly visible. The problem affected at least 88,726 European users between September 2017 and January 2019, officials said.

The Irish regulator announced the penalty nearly two years after it started probing the breach in January 2019. The commission is responsible for enforcing the data protection law against Twitter and other Silicon Valley titans whose European headquarters are located in Ireland, such as Google and Apple.

The Twitter case was the first to go through a dispute resolution process established under the EU data law, in which the lead regulator makes a decision and then consults other national regulators.

Ireland’s decision went before the European Data Protection Board after some other regulators objected to the initial ruling. The board upheld most of the decision but directed Ireland to increase the fine. Irish regulators called the final penalty “effective, proportionate and dissuasive.”

Twitter said the fine stemmed from its failure to notify regulators about the bug within 72 hours after it learned of the problem. The San Francisco-based company blamed the delay on staffing issues between the Christmas and New Year’s holidays in 2018.

“We have made changes so that all incidents following this have been reported to the [Data Protection Commission] in a timely fashion,” Damien Kieran, Twitter’s chief privacy officer and global data protection officer, said in a statement. “We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur.”

December 15, 2020