Twitter fined just €450,000 in first major Irish ruling

Ireland’s Data Protection Commission has finally issued its first cross-border GDPR ruling, although those hoping for a shot across the bows for tech giants could be disappointed after it has fined Twitter just €450,000 (£410,000) for failing to promptly declare and properly document a data breach.

The decision relates to a breach that Twitter publicly disclosed in January 2019. At the time the firm said a bug in its “Protect your tweets” feature could have meant some Android users who wanted to make their tweets private may have had their data exposed online since as far back as 2014.

The Irish DPC confirmed it had come to its decision earlier this year but as it was a cross-border case it needed the approval of other EU members’ data protection authorities (DPAs).

In August, it emerged that an unspecified number of other DPAs had raised objections over the level of the punishment, forcing the European Data Protection Board – which is made up of all the DPAs in the EU – to intervene. Last month it confirmed the DPAs had backed the settlement, by at least a two-thirds majority.

Announcing the ruling, the Irish DPC said: “The DPC’s investigation has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine on Twitter as an effective, proportionate and dissuasive measure.”

The GDPR requires most breaches of personal data to be notified to the relevant supervisory authority within 72 hours of the controller becoming aware of the breach. The regulation also requires they document what data was involved and how they have responded to the security incident — in order that the relevant data supervisor can check against compliance.

The GDPR sets a maximum fine of €20m (£18.2m) or 4% of annual global turnover – whichever is greater – for infringements; Twitter’s €450,000 penalty ranks among the lowest issued to a tech giant by any DPA under the regulation. Google, which was fined €50m (£45m) by French authority CNIL in January 2019, has the dubious honour of holding the record for the highest.

In a statement, Twitter chief privacy officer and global data protection officer to Damien Kieran said: “Twitter worked closely with the Irish DPC to support their investigation. We have a shared commitment to online security and privacy, and we respect the decision, which relates to a failure in our incident response process. ”

Kieran claimed that an “unanticipated consequence of staffing between Christmas Day 2018 and New Year’s Day” resulted in Twitter notifying the DPC outside of the 72 hour statutory notice period.

He added: “We have made changes so that all incidents following this have been reported to the DPC in a timely fashion. We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”

There is no word on how other investigations are progressing in Dublin, with the Irish DPC having a backlog of some at least cases against tech giants, including investigations into Facebook, WhatsApp, Google, Apple and LinkedIn.

Austrian privacy campaigner Max Schrems, a long-term critic of the Irish DPC, tweeted: “*LOL* Twitter got away with €450k as the first GDPR fine by the DPC – 0.016% of their revenue in 2019. In other words: They need 1.5 hours to make that amount in revenue and pay the fine.

“For context: Cost for all judicial cases against the DPC we had so far, far exceeded this amount – it is likely cheaper for Twitter to pay this amount than even bother fighting it in the courts. May be the logic behind this amount.”