Twitter fined 450,000 Euros by Irish regulator for GDPR fail
Twitter has been clobbered with a fine of €450,000 (~$546,300) after Irish courts found it had breached Europe’s strong data protection laws, known as GDPR. The fine was brought by Ireland’s data regulator, making it the first scalp for US big tech under the legislation.
Twitter was investigated under GDPR rules after an incident in 2019 which saw private, so-called ‘restricted’ Tweets made public, due to a bug in the platform’s Android app. After an initial investigation, some EU member states complained that Twitter’s proposed punishment of $150k-$300k wasn’t enough. As most big tech firms use Ireland as a European base, Ireland’s Data regulator is often considered the lead on such cases and an arbitrator of disputes via the European Data Protection Board (EDPB). Reuters reports that it’s the first time that the GDPR Dispute Resolution process has been used to increase a fine.
In handing down the fine, Ireland’s DPC said that it was a “proportionate and dissuasive measure” based on Twitter’s “failure to notify the breach on time and… failure to document the breach”. Twitter had said, in its defence, that the oversight was caused by reduced staffing over the Christmas period in 2018. Twitter responded by acknowledging the situation: “We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers…”.
Under GDPR rules, Twitter remains liable for the data leak, even though it wasn’t considered to be deliberate or malicious. The rules, which are some of the strictest in the world, require compliance from all companies that allow data to travel in or out of the European Union. The fact that the leak happened at a time when Google was actively cracking down on third-party Twitter clients, only served to compound the problem, given that it was their own official app that sprung the leak.