Inquiry into Twitter data breach completed, says Data Protection Commission

Decision could pave the way for first fines against ‘big tech’ firm by Irish watchdog

The Data Protection Commission (DPC) has completed an inquiry into social networking site Twitter which could pave the way for the first fines levied against "big tech" firms by the Irish watchdog.

It is the first time the DPC has completed an inquiry into one of the major tech firms, but the draft decision, which is one of a number of announcements made by the DPC on Friday, will remain confidential until other data watchdogs have reviewed it.

If wrongdoing has been identified in the Twitter case and the decision is supported by other supervisory authorities, a fine and a corrective measure will follow.

In addition to the Twitter decision, a second fine for Tusla, the child and family agency, has been issued. It relates to a case in which sensitive personal data about an individual against whom an allegation of abuse had been made was posted on social media.


It is the second time in a matter of weeks Tusla has been on the receiving end of enforcement action by the DPC. Earlier this month, an application was made to the courts in relation to an investigation which involved three different breaches. One of these saw the contact and location data of a mother and child victim disclosed to an alleged abuser. Another related to the improper disclosure of data about children in foster care to blood relatives, including in one instance to an imprisoned father.

The Twitter decision relates to the company's handling of a data breach in November 2018 which it reported to the DPC. Specifically, the DPC examined the social media giant's compliance with two aspects of the General Data Protection Regulation (GDPR), a strict set of European laws introduced in 2018.

The specific sections in question govern the promptness of the disclosure of the data breach, as well as how the company handled aspects of the breach, including record-keeping and documentation which would enable regulators verify compliance with the GDPR.


In addition to the Twitter finding and the fine for Tusla, the DPC said on Friday it has passed other milestones in relation to two inquiries into Facebook, and other platforms owned by the social media company.

A preliminary draft decision has been sent to WhatsApp Ireland, the messenger platform owned by Facebook. Graham Doyle, deputy commissioner with the DPC, said the inquiry into WhatsApp is examining its compliance with the GDPR's articles 12 to 14 "in relation to transparency around what information is shared with Facebook".

The watchdog also said it has completed the investigation phase of an inquiry into Facebook Ireland's obligations to establish a lawful basis for personal data processing. This inquiry is based on a complaint made by the Austrian privacy campaigner Max Schrems.

Draft inquiry reports have also been sent to the complainants and companies involved in two other "big tech" inquiries, which concern WhatsApp and Instagram, the photo-sharing platform also owned by Facebook, the DPC said. D

Jack Horgan-Jones

Jack Horgan-Jones

Jack Horgan-Jones is a Political Correspondent with The Irish Times