Twitter has been fined €450,000 by the Data Protection Commission (DPC) for a GDPR breach.
The commission kickstarted an investigation into Twitter back in January 2019 when the company publicly disclosed the presence of a fault in their system.
The social media giant said that a bug in its ‘Protect your tweets’ feature could have meant some Android users who’d applied the setting to make their tweets non-public may have had their data exposed to the public Internet since as far back as 2014.
Upon investigation, the DPC found that Twitter failed to promptly decare and properly document the breach and therefore infringed Article 33(1) and 33(5) of the GDPR.
This marks the first time the regulator has penalised a big tech company under European GDPR rules.
The GDPR requires most breaches of personal data to be notified to the relevant supervisory authority within 72 hours of the controller becoming aware of the breach.
The regulation also requires they document what data was involved and how they’ve responded to the security incident — in order that the relevant data supervisor can check against compliance.
In this case, Twitter was found to have failed on both counts.
Damien Kieran, Twitter's Chief Privacy Officer and Global Data Protection officer said that an 'unanticipated consequence of staffing' was the reason for late commission notification in a statement:
“We have made changes so that all incidents following this have been reported to the DPC in a timely fashion,” it said.
"We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur.
"We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness."