IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Twitter fined €450k for breaching GDPR disclosure rules

Firm chastised over its handling of a 2018 flaw that made private tweets accessible to the public

The Irish data protection commission (DPC) has fined Twitter €450,000 (approximately £409,000) after the company alerted the watchdog to a serious flaw on its platform nearly two weeks after first discovery, well beyond the strict 72-hour notification window as established under GDPR.

The DPC began its investigation against Twitter in January 2019 after the firm notified it of a bug that exposed the tweets of users who had previously set their accounts to be ‘protected’. A fine has now been administered “as an effective, proportionate and dissuasive measure” due to violations of Article 33(1) and 33(5) of GDPR, which concern the timely and adequate notification of a data breach to a regulator.

Twitter notified the DPC about the flaw, and its potential breach of user privacy, 13 days after receiving the initial bug report on 26 December, ultimately failing to sufficiently document the nature of the breach or its implications.

Twitter received a report that if a user with a protected account changed their email address on an Android device, a bug would lead to their account being unprotected. This would mean their previously protected Tweets, which are only viewable by those the user approves to follow their account, were visible to the general public. The bug in the code was traced back to a change made in November 2014.

The severity of this issue, and that it was grave enough to warrant reporting to a supervisory authority – in this case, the Irish DPC – wasn’t appreciated until 3 January 2019, according to the regulator’s final decision. Twitter’s incident response team was immediately put into action, but it wasn't until 8 January that the Irish DPC was then notified, well beyond the 72-hour-window set out under GDPR. 

In this case, the DPC's fine reflects Twitter's failure to abide by the disclosure rules of GDPR, rather than any sanction for the exploit itself.

This is the first case of a major US tech company facing GDPR sanctions under the Article 65 mechanism, which nominates a lead supervisory authority to adjudicate on behalf of all member states.

Although companies such as Google have previously faced GDPR fines by regulators acting unilaterally, the Irish DPC has been charged with regulating violations that are vastly cross-border in nature with regards to the companies headquartered in Ireland.

As such, the regulator is currently in the process of investigating scores of complaints, including 21 cases against major tech firms as of February 2020, with more likely to be added to its workload over the course of the year.

“There has been increased pressure on the local Irish data authority to ensure that the GDPR takes a front seat in deciding on actions to be taken in the wake of the Twitter data breach,” said chief compliance officer at threat intelligence firm IntSights, Chris Strand.

“This case is also drawing an increased spotlight on how to enforce the GDPR as a baseline involving an international entity as well as the use of article 65 as a vehicle for dispute resolution, which I believe will increase the importance of the GDPR as a regulation and the guidance within. “

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Senator wants social media companies held liable for spreading anti-vax lies
social media

Senator wants social media companies held liable for spreading anti-vax lies

23 Jul 2021

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022