Ireland fines Twitter over data breach in first for EU privacy laws

Bug on Android phones mean some private tweets were made public

LONDON, ENGLAND - AUGUST 09:  In this photo illustration, the logo for the Twitter social media network is projected onto a man on August 09, 2017 in London, England. With around 328 million users worldwide, Twitter has gone from a small start-up in for the public 2006 to a broadcast tool of politicians and corporations in 2017.  (Photo by Leon Neal/Getty Images)

Ireland fined Twitter over a data breach that led to some private tweets being made public.

The social media company was fined €450,000 ($547,000) by the country's data protection watchdog – the first sanction against a US company under a new system that enforces European Union data protection laws.

Twitter broke the regulations by failing to report the breach within the required 72 hours, Ireland’s Data Protection Commission said on Tuesday. Twitter was also fined over its “failure to adequately document the breach".

The administrative fine was levied as “an effective, proportionate and dissuasive measure”, the Irish watchdog said.

Twitter last year alerted the Irish authority to a potentially disabled privacy setting that put some devices running on Google’s Android mobile operating system at risk.

The watchdog's investigation started in January 2019. Because it potentially affected users throughout the EU, the regulator had to send the draft findings of its inquiry to other authorities, dragging out a process that critics said took far too long.

General Data Protection Regulation (GDPR)  in the EU makes Ireland the lead regulator for Twitter, Facebook, Apple and Google in the bloc, because all have their EU headquarters in the country.
GDPR has been in force since 2018, but the Twitter case is the first using a new dispute resolution system under which one lead national regulator makes a decision before consulting the other EU watchdogs.
Some EU regulators objected to Ireland's preliminary Twitter ruling when it was issued in May, triggering a referral to the dispute resolution body, the European Data Protection Board, to secure a two-thirds majority among member states.
Twitter said that the delay in reporting the 2018 data breach was an "unanticipated consequence of staffing between Christmas Day 2018 and New Year's Day" and that it had made changes so future incidents would be reported in a timely fashion.
Twitter said at the time: "We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur."
The Irish watchdog, which has launched more than 20 major inquiries into US technology companies, has the power to impose fines for breaches of up to 4 per cent of a company's global revenue or €20 million, whichever is higher.
Twitter is the subject of at least one other inquiry by the Irish regulator.