Twitter fined €450k for breaching GDPR disclosure rules

Firm chastised over its handling of a 2018 flaw that made private tweets accessible to the public

The Irish data protection commission (DPC) has fined Twitter €450,000 (approximately £409,000) after the company alerted the watchdog to a serious flaw on its platform nearly two weeks after first discovery, well beyond the strict 72-hour notification window as established under GDPR.

The DPC began its investigation against Twitter in January 2019 after the firm notified it of a bug that exposed the tweets of users who had previously set their accounts to be ‘protected’. A fine has now been administered “as an effective, proportionate and dissuasive measure” due to violations of Article 33(1) and 33(5) of GDPR, which concern the timely and adequate notification of a data breach to a regulator.

Twitter notified the DPC about the flaw, and its potential breach of user privacy, 13 days after receiving the initial bug report on 26 December, ultimately failing to sufficiently document the nature of the breach or its implications.

Twitter received a report that if a user with a protected account changed their email address on an Android device, a bug would lead to their account being unprotected. This would mean their previously protected Tweets, which are only viewable by those the user approves to follow their account, were visible to the general public. The bug in the code was traced back to a change made in November 2014.

The severity of this issue, and that it was grave enough to warrant reporting to a supervisory authority – in this case, the Irish DPC – wasn’t appreciated until 3 January 2019, according to the regulator’s final decision. Twitter’s incident response team was immediately put into action, but it wasn't until 8 January that the Irish DPC was then notified, well beyond the 72-hour-window set out under GDPR. 

In this case, the DPC's fine reflects Twitter's failure to abide by the disclosure rules of GDPR, rather than any sanction for the exploit itself.

This is the first case of a major US tech company facing GDPR sanctions under the Article 65 mechanism, which nominates a lead supervisory authority to adjudicate on behalf of all member states.

Although companies such as Google have previously faced GDPR fines by regulators acting unilaterally, the Irish DPC has been charged with regulating violations that are vastly cross-border in nature with regards to the companies headquartered in Ireland.

As such, the regulator is currently in the process of investigating scores of complaints, including 21 cases against major tech firms as of February 2020, with more likely to be added to its workload over the course of the year.

“There has been increased pressure on the local Irish data authority to ensure that the GDPR takes a front seat in deciding on actions to be taken in the wake of the Twitter data breach,” said chief compliance officer at threat intelligence firm IntSights, Chris Strand.

“This case is also drawing an increased spotlight on how to enforce the GDPR as a baseline involving an international entity as well as the use of article 65 as a vehicle for dispute resolution, which I believe will increase the importance of the GDPR as a regulation and the guidance within. “

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Senator wants social media companies held liable for spreading anti-vax lies
social media

Senator wants social media companies held liable for spreading anti-vax lies

23 Jul 2021

Most Popular

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
HPE wins networking contract with Birmingham 2022 Commonwealth Games
Network & Internet

HPE wins networking contract with Birmingham 2022 Commonwealth Games

15 Oct 2021