Twitter has been fined €450,000 by the Data Protection Commission for a data breach, marking the first time the regulator has penalised a big tech company under European GDPR rules.
The commission commenced an investigation into Twitter in January 2019 after the company publicly disclosed it had inadvertently made some users’ private tweets public.
It found that Twitter infringed article 33(1) and 33(5) of GDPR in terms of a failure to notify the breach on time to the regulator, and a failure to adequately document it.
The commission described the fine as “an effective, proportionate and dissuasive measure”.
Some data protection experts had indicated a big fine was unlikely to be levied given the nature of the breach and the fact that Twitter made a voluntary admission on the matter. However, critics may question the level of the fine given the company recorded revenues of $3.46 billion (€2.8 billion) last year.
The General Data Protection Regulation (GDPR), which came into effect in May 2018, gives data regulators powers to fine companies up to 4 per cent of their global turnover of the previous year or €20 million, whichever is greater, for violating the law.
With so many companies having their European headquarters in the Republic, the commission is the lead EU regulator for many big tech giants that also include Google and Facebook under the "one-stop-shop" mechanism, which was introduced as part of the GDPR rules.
The regulator had previously faced criticism for delays in carrying out investigations against such companies for possible breaches.
Twitter said in a statement it worked closely with the regulator to support its investigation.
“We respect the commission’s decision, which relates to a failure in our incident response process ... We have made changes so that all incidents following this have been reported to the commission in a timely fashion,” said Damien Kiernan, Twitter’s chief privacy and global data protection officer.
“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”
Because of the co-operation and consistency mechanism under GDPR, which is aimed at ensuring a harmonised interpretation of the law across the EU, commissioner Helen Dixon was unable to make a final decision on the Twitter without the agreement of other authorities. Her office circulated its draft findings to other regulators in May. The European Data Protection Board had to make the final determination, however, after disagreement among regulators.
Speaking at Web Summit earlier this month, Ms Dixon said the process to reach a unified agreement with other supervisory bodies had taken too long and been overcomplicated.
“Am I satisfied? No, the process didn’t really work well,” she said.
“It is the first time EU data protection authorities have stepped through the process so maybe it can only get better from here,” she added.
The commission has more than 20 cross-border inquiries open in relation to big tech companies' compliance with GDPR. Facebook recently said it had set aside €302 million for potential regulatory fines in Europe. The Irish arm of WhatsApp, which is owned by Facebook, has set aside €77.5 million to cover possible fees linked to an investigation undertaken by the regulator here.
The fine levied on Twitter comes on the same day the European Union is to formally propose the Digital Markets Act, which will give regulators new powers to go after big tech companies believed to be engaged in anti-competitiveness practices.