Skip to main content

Twitter hit with €450,000 GDPR fine nearly two years after disclosing data breach

Twitter hit with €450,000 GDPR fine nearly two years after disclosing data breach


In a first for the EU’s data protection rules

Share this story

The Twitter bird logo in white against a dark background with outlined logos around it and red circles rippling out from it.
Illustration by Alex Castro / The Verge

Ireland’s Data Protection Commission (DPC) has fined Twitter €450,000 (around $546,000) over a data breach it disclosed back in January 2019, the regulator announced today. The security flaw exposed some supposedly private tweets from the service’s Android users for over four years. Twitter was found to have violated the EU’s General Data Protection Regulation (GDPR) because it failed to notify the regulator within 72 hours of discovering the breach, The Wall Street Journal reports.

The fine is notable because it’s the first time a US tech giant has been hit with a GDPR fine in a cross-border case, meaning one in which the Irish regulator consulted its EU counterparts as part of the decision. The investigation was headed by Ireland’s DPC because Ireland is where Twitter’s international headquarters are based.

Twitter said it takes responsibility for the mistake

This cross-border process is part of the reason why it’s taken so long to issue this fine. Ireland’s DPC posted its draft decision back in May as part of the GDPR’s comments process. However, several other regulators raised objections to several points in its decision, which eventually led to a dispute-resolution process.

One key objection raised was to the amount the DPC wanted to fine Twitter, the WSJ reports. A fine of €450,000 is well short of the 2 percent of Twitter’s global annual revenue that can be levied under GDPR for failing to properly disclose a data breach. The Irish regulator originally wanted to fine Twitter even less than this, but through the dispute-resolution process, it was told to increase the amount. The DPC had argued for a smaller fine because it believed Twitter’s failing was through negligence, rather than being intentional or systematic.

The fact that this dispute resolution took so long has led to criticism of GDPR’s effectiveness. The head of the Irish Data Protection Commission, Helen Dixon, has previously admitted that “the process didn’t work particularly well” but added that it’s the first time the process has been used and expressed optimism that it would get better in future, the WSJ reports.

Responding to the fine in a statement given to TechCrunch, Twitter said it respects the regulator’s decision. “An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period,” the company said, “We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.” 

“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers,” the company added.

The WSJ describes the Twitter case as being “the first in a long pipeline” of cases involving US tech giants. Other open cases include more than a dozen that have been opened into Facebook and its subsidiaries, such as WhatsApp.