Twitter fined €450k for breaching GDPR disclosure rules

Firm chastised over its handling of a 2018 flaw that made private tweets accessible to the public

The Irish data protection commission (DPC) has fined Twitter €450,000 (approximately £409,000) after the company alerted the watchdog to a serious flaw on its platform nearly two weeks after first discovery, well beyond the strict 72-hour notification window as established under GDPR.

The DPC began its investigation against Twitter in January 2019 after the firm notified it of a bug that exposed the tweets of users who had previously set their accounts to be ‘protected’. A fine has now been administered “as an effective, proportionate and dissuasive measure” due to violations of Article 33(1) and 33(5) of GDPR, which concern the timely and adequate notification of a data breach to a regulator.

Twitter notified the DPC about the flaw, and its potential breach of user privacy, 13 days after receiving the initial bug report on 26 December, ultimately failing to sufficiently document the nature of the breach or its implications.

Twitter received a report that if a user with a protected account changed their email address on an Android device, a bug would lead to their account being unprotected. This would mean their previously protected Tweets, which are only viewable by those the user approves to follow their account, were visible to the general public. The bug in the code was traced back to a change made in November 2014.

The severity of this issue, and that it was grave enough to warrant reporting to a supervisory authority – in this case, the Irish DPC – wasn’t appreciated until 3 January 2019, according to the regulator’s final decision. Twitter’s incident response team was immediately put into action, but it wasn't until 8 January that the Irish DPC was then notified, well beyond the 72-hour-window set out under GDPR. 

In this case, the DPC's fine reflects Twitter's failure to abide by the disclosure rules of GDPR, rather than any sanction for the exploit itself.

This is the first case of a major US tech company facing GDPR sanctions under the Article 65 mechanism, which nominates a lead supervisory authority to adjudicate on behalf of all member states.

Although companies such as Google have previously faced GDPR fines by regulators acting unilaterally, the Irish DPC has been charged with regulating violations that are vastly cross-border in nature with regards to the companies headquartered in Ireland.

As such, the regulator is currently in the process of investigating scores of complaints, including 21 cases against major tech firms as of February 2020, with more likely to be added to its workload over the course of the year.

“There has been increased pressure on the local Irish data authority to ensure that the GDPR takes a front seat in deciding on actions to be taken in the wake of the Twitter data breach,” said chief compliance officer at threat intelligence firm IntSights, Chris Strand.

“This case is also drawing an increased spotlight on how to enforce the GDPR as a baseline involving an international entity as well as the use of article 65 as a vehicle for dispute resolution, which I believe will increase the importance of the GDPR as a regulation and the guidance within. “

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Parler suffers data leak before being taken offline
social media

Parler suffers data leak before being taken offline

12 Jan 2021
Misconfigured Git servers lead to Nissan data leak
hacking

Misconfigured Git servers lead to Nissan data leak

7 Jan 2021
BackupAssist teams with Wasabi to offer cheaper backup for businesses
backup

BackupAssist teams with Wasabi to offer cheaper backup for businesses

6 Jan 2021
Trump's TikTok ban hits another roadblock
social media

Trump's TikTok ban hits another roadblock

9 Dec 2020

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021