Twitter Hit with $544,000 Penalty for Violating GDPR Data Breach Provisions
Twitter has been hit with a €450,000 ($544,600) financial penalty for violations of the data breach provisions of the EU’s General Data Protection Regulation (GDPR). The fine was issued by the Data Protection Commission (DPC) in Ireland over a privacy breach reported to the DPC by Twitter in January 2019.
The DPC received a breach notification from Twitter International Company on January 8, 2019 and an investigation was commenced on January 22, 2019 to determine whether Twitter was in compliance with its responsibilities under the GDPR.
Twitter had received a notification from a researcher on December 26, 2018 advising the company about the flaw. Twitter users have the option of having their Tweets protected or unprotected. If Tweets are protected, only a specific set of individuals are able to view those Tweets – the individual’s followers. Unprotected tweets are in the public domain and can be viewed by anyone.
The bug changed protected Tweets to unprotected Tweets without the user’s knowledge if the user changed the email address associated with their account on an Android device. Twitter determined the bug was introduced on November 4, 2014 but was unable to determine which users were affected prior to September 5, 2017. The issue was corrected on January 11, 2019. Between September 5, 2017 and January 11, 2019, 88,726 EU and EEA users had been affected.
Article 33(1) of the GDPR requires companies to notify the appropriate Data Protection Authority within 72 hours of the discovery of a data breach. The Irish DPC found Twitter to have violated this GDPR provision. Article 33(5) of the GDPR requires companies to promptly document a breach and detail the data involved and the measures that have been taken to address the breach to allow the data protection controller to assess compliance. The DPC found Twitter had failed to adequately document its breach.
A financial penalty was deemed appropriate and was issued as “an effective, proportionate, and dissuasive measure,” according to a statement issued by the DPC.
Twitter worked closely with the DPC and fully assisted in the investigation and accepted there had been a failure in its incident response process. This was “An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72-hour statutory notice period,” said Damien Kieran, Twitter’s chief privacy officer and global data protection officer in a statement. “We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.”
This is the first cross-border penalty to be issued by the Irish GDPR watchdog and, while sizeable, is a tiny fraction of the penalty that could have been issued. The maximum penalty for a GDPR violation is €20 million ($24.2 million) or 4% of global annual turnover, whichever is greater.
The maximum financial penalty would have been €138 million ($168 million). The fine therefore equates to around 0.1% of global annual turnover for 2019, or around 1.5 hours of revenue for Twitter.