Twitter to Pay $544,000 for a GDPR Data Breach Violation

Twitter is going to pay a €450,000 ($544,600) penalty for breaking the EU’s General Data Protection Regulation (GDPR). The Ireland Data Protection Commission (DPC) issued the penalty because of the privacy breach report Twitter submitted to the DPC last January 8, 2019.

After receiving a breach notification report from Twitter International Company, DPC launched an investigation on January 22, 2019 to find out if Twitter is GDPR compliant.

On December 26, 2018, a researcher informed Twitter regarding a problem. Twitter gives its users the choice to send protected Tweets or not. Only a particular group of people or followers can view protected Tweets, while unprotected Tweets can be viewed by the public.

A bug in the Twitter platform unprotected protected Tweets without the knowledge of the user. This comes about when a person uses an Android device to modify his/her email address linked to their Twitter account. Twitter discovered that the bug began on November 4, 2014 however has no idea which users the bug impacted prior to September 5, 2017. The issue was resolved on January 11, 2019. The bug impacted 88,726 users in the EU and EEA between September 5, 2017 and January 11, 2019.

As per Article 33(1) of the GDPR, covered entities must report a data breach to the proper Data Protection Authority in 72 hours following its discovery. The Irish DPC found out that Twitter dishonored this GDPR provision. According to Article 33(5) of the GDPR, covered entities ought to create breach documentation and state the data affected. All steps undertaken to handle the breach need to be recorded as well so that the data protection controller can better assess compliance. The DPC found out that Twitter lacks the needed breach documentation.

DPC decided to penalize Twitter to have “an effective, balanced, and dissuasive measure. Twitter cooperated with DPC’s investigation and acknowledged its inability to abide by the appropriate incident response procedure. The failure was a consequence of an unexpected workforce need from Christmas Day to New Years’ Day in 2018, thus Twitter did not give IDPC the notification within 72 hours. Twitter had put in place the required adjustments to ensure that DPC gets all succeeding incident reports promptly.

This is IDPC’s first issuance of a cross-border penalty. It’s a big penalty though it only covers a bit of the potential penalty that may have been issued, which is a maximum of €20 million ($24.2 million) or 4% of global annual revenue, whichever is bigger. Twitter could have been issued a maximum financial penalty of €138 million or $168 million. That was 0.1% of its global annual revenue for 2019.