Twitter Fined for Data Breach

After an investigation that lasted for over two years, the Irish Data Protection Commission (DPC) found that Twitter didn’t comply with the General Data Protection Regulation – a European Union law that aims to protect data privacy and hold companies accountable breaches.

The DPC announced that it’s fining Twitter, but not harshly; the regulator asks for €450,000, or about $546,000. It represents around 0.016% of Twitter’s $3.46B revenue for the fiscal year 2019.

Twitter disclosed data breaches to the DPC in January 2019. Still, the officer stated that it wasn’t the breaches themselves that fined Twitter, as much as the company’s failure to report and document them in the 72-hour window mandated by the GDPR.

The breaches came from a bug that can make Android users’ tweets publicly, even if they wanted them private.

The small fine signifies that the DPC didn’t think Twitter’s violations are a big deal, although the office called the amount “effective, proportionate and dissuasive.” The GDPR rules say that regulators can ask for up to 4% of a company’s annual revenue for more severe offenses and 2% for failing to report the breach.

The GDPR was implemented in the European Union in 2018, but it was the first investigation to undergo a “dispute resolution” process, which involved other regulating bodies in the EU. This has resulted in some tension over the perfect size: it has been reported that German regulators were pushing for an amount between €7 million and €22 million.

Twitter’s official communications account wrote that “an unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying @DPCIreland outside the 72 hours statutory notice period. We have made changes so that all incidents following this have been reported to them in a timely fashion.”

Twitter worked closely with the Irish Data Protection Commission (@DPCIreland) to support their investigation. We have a shared commitment to online security and privacy, and we respect their decision, which relates to a failure in our incident response process.

— Twitter Comms (@TwitterComms) December 15, 2020

“We’re sorry it happened,” the statement added.

This is not Twitter’s first run-in with the law about issues surrounding data privacy; the company’s commitment to security came under scrutiny this summer when a 17-year old Bitcoin scammer has hacked the site.