Over $540K was imposed on Twitter for violation of data in Ireland’s first major GDPR decision

Ireland’s Data Protection Commission (DPC) has imposed a fine of €450,000 (~$547,000) on Twitter for failure to immediately declare and register a violation of the European General Data Protection Regulation (GDPR).

The decision is notable as this case is the first cross-border GDPR decision by the Irish watchdog, which is a main EU privacy regulator for several technical platforms. With a list of some 20+ active cases at this point, including active Facebook, WhatsApp, Google, Apple, and LinkedIn.

The regulator wrote in a press release: “The inquiry by the DPC began in January 2019, following a receipt of a notice of violations from Twitter, and the DPC came to know that Twitter infringed Article 33(1) and Article 33(5) of the GDPR by failing to inform the DPC of the infringement on time and by failing to provide sufficient evidence of the infringement. As a result, The DPC enforced an administrative fine of €450,000 on Twitter as an efficient, appropriate, and dissuasive action."

The requirement of the GDPR is to inform about the breach of personal data to the related supervisory authority within 72 hours of knowing about the breach.

Another requirement is the information regarding the type of data breached and what is their response to the security incident.

In the case of Twitter, both the requirements were not fulfilled.

In an update, Twitter has passed a statement attributed to Damien Kieran, its chief privacy officer and global data protection officer: “Twitter has collaborated extensively with the Irish Data Protection Commission (IDPC) to assist their inquiry. We have a mutual commitment to online protection and safety, and we support the IDPC decision, which applies to the breakdown of our incident response process.”

“We are responsible for this failure and are firmly committed to secure the data and privacy of our users and notify them about any issue that might occur. We appreciate the clarification that this decision provides to businesses and customers regarding the conditions for notice of infringements of GDPR.”

The Company also stated that after this incident of delay in reporting breach due to inaccurate staffing, all related incident reports were forwarded to the DPC within the appropriate 72-hour period.

DPC's decision applies to a violation that Twitter officially revealed in January 2019—when it claimed that a flaw in its 'Secure Your Messages' feature might mean that some Android users who chose the option of keeping their tweets personal, their data have been exposed publically on the internet since 2014.

Meanwhile, Ireland's DPC tends to be criticized for the amount of time it takes to make decisions on large cross-border GDPR cases where the effect on human rights will reach hundreds of millions of European Internet users.

Read next: Worldwide Reach of Influencer Collaborations Increased by 57 Percent despite the Decline in the Number of Sponsored Collaborations in 2020
Previous Post Next Post