Breach Notification , General Data Protection Regulation (GDPR) , Security Operations

Twitter Fined $547,000 Under GDPR for 2018 Data Breach

Penalty Marks First Time Any US Tech Firm Penalized Under EU's Privacy Regulation
Twitter Fined $547,000 Under GDPR for 2018 Data Breach

For the first time, a U.S. technology firm has been fined under the EU's General Data Protection Regulation. Ireland's Data Protection Commission on Tuesday hit social media giant Twitter with a 450,000 euros ($547,000) fine for failing to report and document a data breach within 72 hours, as required under GDPR.

See Also: Securing Your Business Begins with Password Security

In 2018, a bug in Twitter's design specific to Android devices inappropriately exposed protected messages from 88,000 users, the commission says.

The commission says that Twitter reported that data exposure in January 2019 - it was discovered on Dec. 26, 2018 - at which time the regulatory agency began its investigation into the incident.

The DPC took the lead in the investigation because Twitter's European operation is headquartered in Ireland.

"The DPC has imposed an administrative fine of 450,000 euros on Twitter as an effective, proportionate and dissuasive measure," writes Helen Dixon, Ireland's commissioner for data protection.

Twitter noted that it did work closely with the DPC and respected the commission's decision on the fine.

"This is a significant step and tells many of the firms based in Ireland that the DPC is serious about its obligations. Some may argue that the fine was too low, however, I view it as a warning shot to Twitter that any similar breaches in the future will be dealt with more harshly," says Brian Honan, CEO of Dublin-based BH Consulting.

Although the case marks the first time a U.S. technology firm has been fined under GDPR, other American firms have been fined, albeit as a result of investigations run by other countries in Europe. Sanctioned organizations include Marriott Hotels, which recently was fined $23.8 million by the U.K.'s privacy watchdog, and Ticketmaster, which was fined $1.7 million, also by the U.K. Both of those fines were determined in consultation with privacy authorities in EU member states.

Twitter Blames Personnel Shortage

Twitter blamed the reporting delay on staffing issues in December 2018.

Due to the bug in the Twitter app for Android, if a user changed the email address associated with their Twitter account, any protected tweets became unprotected tweets and therefore accessible to the public - and not just a user's followers - without the user's knowledge, the DPC's report states.

Debate Over Low Level of Fine

The maximum penalty for violating GPDR is 20 million euros ($23 million) or 4% of an organization's annual global revenue - whichever is higher.

A deciding factor in setting the fine in this case was that Twitter International Co., which manages Twitter for the EU, was directly responsible for the breach, and not the much larger San Francisco-based Twitter Inc., Dixon says.

"When applied here in the context of the GDPR though, it is clear that TIC, as the sole independent controller of personal data of EEA data subjects, enjoys independence in respect of decisions about the purposes and means of processing," she says.

The DPC had originally intended to fine TIC $164,000 to $334,000. But some other EU member states objected, demanding a larger fine, and for the first time ever, initiated a dispute resolution process, as enshrined in GDPR. This sees the case get referred to the independent European Data Protection Board, which has a remit to ensure that GDPR gets consistently applied.

The board concluded that Twitter's Ireland-based operation and its parent company, TIC, operate in a co-dependent fashion, so the parent company’s revenue should be taken into consideration when setting the fine.

In response, the DPC increased the amount to $547,000.

Johnny Ryan, a senior fellow with the Irish Council for Civil Liberties, says multiple board members "took issue" with the penalty.

For example, Ryan said that German regulators were pushing for a fine of $7 million to $22 million.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.