Irish watchdog fines Twitter €450,000 in first cross-border GDPR penalty

Twitter’s lead regulator in the region, Ireland’s Data Protection Commission (DPC), began investigating the platform in 2019 after it had self-violated its private tweets feature, stating that some private tweets on Android devices may have been exposed to the public during the years 2014 to 2019 across the bloc.

Commissioner Helen Dixon said in a statement that the DPC “has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.” As a result, the watchdog has published its penalty of €450,000, which the DPC says is, “an effective, proportionate and dissuasive measure.”

The decision, the DPC adds, “was the first one to go through the Article 65 (‘dispute resolution’) process since the introduction of the GDPR,” as well as being “the first Draft Decision in a ‘big tech’ case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities.”

The penalty given equates to around a 0.1% of Twitter’s annual revenue for 2019, which has received criticism from privacy advocates for falling below the maximum penalty of 4% of global annual revenue afforded by GDPR.

As stated in the EDPB’s report on the matter, the initial fine proposed by the Irish DPC received many objections from other enforcers for being “too low” and did not comply with Article 83(1) of GDPR, which led to considerable delay in achieving a final decision. On the other hand, the German supervisory authority requested the fine be between 7 to 22 million euros, stating “the DE SA considers that a dissuasive fine in this specific case would therefore have to be so high that it would render the illegal data processing unprofitable.”

Twitter’s chief privacy officer and global DPO Damien Kieran, said in a statement to Tech Crunch:

“Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation. We have a shared commitment to online security and privacy, and we respect the IDPC’s decision, which relates to a failure in our incident response process. An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.

Kieran added: “We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”