Twitter Fined £400,000 For Breaking EU Data Law
Twitter has been fined €450,000 (£400,000) by the Data Protection Commission in Ireland for breaking Europe’s GDPR data privacy rules.
The GDPR is a user and data privacy regulation that came into effect in the EU on May 25, 2018, and was quickly put to use following four separate complaints against Google, Facebook, Instagram, and WhatsApp on the same day over their use of “forced consent.”
Twitter has accepted responsibility. In a statement, the firm blamed “an unanticipated consequence of staffing” during the period between Christmas Day 2018 and 1 Jan 2019 for its failure to comply with notifying the regulator within 72 hours of discovering the breach.
“We respect the IDPC’s decision, which relates to a failure in our incident response process,” said Damien Kieran, Twitter’s chief privacy officer and global data protection officer.
Twitter worked closely with the Irish Data Protection Commission (@DPCIreland) to support their investigation. We have a shared commitment to online security and privacy, and we respect their decision, which relates to a failure in our incident response process.— Twitter Comms (@TwitterComms) December 15, 2020
The IDPC said it believed the fine was “an effective, proportionate and dissuasive measure”.
It related to a bug affecting Android users who had made their tweets private – it meant that if they made some changes to their account, their tweets could have been made public in error. The bug dated back to 2014, the firm said at the time.
It was disclosed in January 2019 and the DPC began its investigation shortly afterwards. Darren Wray, of privacy firm Guardum, said the penalty was a sign that the teeth of the GDPR were “getting sharper”. “This case should send a message to large tech firms that they need to take their data privacy responsibilities very seriously,” he said.