The Irish data protection commission (DPC) has fined Twitter €450,000 (approximately £409,000) after the company alerted the watchdog to a serious flaw on its platform nearly two weeks after first discovery, well beyond the strict 72-hour notification window as established under GDPR.
The DPC began its investigation against Twitter in January 2019 after the firm notified it of a bug that exposed the tweets of users who had previously set their accounts to be ‘protected’. A fine has now been administered “as an effective, proportionate and dissuasive measure” due to violations of Article 33(1) and 33(5) of GDPR, which concern the timely and adequate notification of a data breach to a regulator.
Twitter notified the DPC about the flaw, and its potential breach of user privacy, 13 days after receiving the initial bug report on 26 December, ultimately failing to sufficiently document the nature of the breach or its implications.
Twitter received a report that if a user with a protected account changed their email address on an Android device, a bug would lead to their account being unprotected. This would mean their previously protected Tweets, which are only viewable by those the user approves to follow their account, were visible to the general public. The bug in the code was traced back to a change made in November 2014.
The severity of this issue, and that it was grave enough to warrant reporting to a supervisory authority – in this case, the Irish DPC – wasn’t appreciated until 3 January 2019, according to the regulator’s final decision. Twitter’s incident response team was immediately put into action, but it wasn't until 8 January that the Irish DPC was then notified, well beyond the 72-hour-window set out under GDPR.
In this case, the DPC's fine reflects Twitter's failure to abide by the disclosure rules of GDPR, rather than any sanction for the exploit itself.
This is the first case of a major US tech company facing GDPR sanctions under the Article 65 mechanism, which nominates a lead supervisory authority to adjudicate on behalf of all member states.
Although companies such as Google have previously faced GDPR fines by regulators acting unilaterally, the Irish DPC has been charged with regulating violations that are vastly cross-border in nature with regards to the companies headquartered in Ireland.
As such, the regulator is currently in the process of investigating scores of complaints, including 21 cases against major tech firms as of February 2020, with more likely to be added to its workload over the course of the year.
“There has been increased pressure on the local Irish data authority to ensure that the GDPR takes a front seat in deciding on actions to be taken in the wake of the Twitter data breach,” said chief compliance officer at threat intelligence firm IntSights, Chris Strand.
“This case is also drawing an increased spotlight on how to enforce the GDPR as a baseline involving an international entity as well as the use of article 65 as a vehicle for dispute resolution, which I believe will increase the importance of the GDPR as a regulation and the guidance within. “
