Ireland’s Data Protection Commission (DPC) on 15 December imposed a fine of 450,000 euros (around $547,000) on Twitter for failure to promptly notify and properly document a data breach under Europe’s General Data Protection Regulation (GDPR).
This is the first time a US-based tech firm has been fined in a cross-border case under Europe’s data privacy law that came into effect on May 25, 2018. As per reports, the security flaw exposed some of the private tweets of Android users on Twitter for over four years.
The DPC’s investigation into Twitter commenced in January 2019 following the receipt of a breach notification from the social media company. The primary reason for the delay in the fine is due to the cross-border process. Ireland’s DPC posted its draft decision back in May 2020 which was a part of the GDPR’s comments process. Although, there were many other regulators who raised objections to several points in its decision, which eventually led to a delay in the entire process.
One of the key objection that was raised during this entire process was the amount the DPC wanted to fine Twitter as a fine of $547,000 is much lesser than 2 percent of Twitter’s global revenue per year.
The DPC has found that Twitter infringed provisions of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.
Under Europe’s data protection law, organisations need to report breaches of personal data to the relevant supervisory authority within 72 hours of the controller becoming aware of the breach, TechCrunch reported.
It is also important for them to properly document the data involved in the breach so that the data supervisor can check for compliance.
The Irish watchdog has a backlog of over 20 ongoing cases at this point, including active probes of Facebook, WhatsApp, Google, Apple and LinkedIn, among others, said the TechCrunch report.