Ireland’s Data Protection Commission (DPC) fined Twitter Tuesday due to Twitter’s failure to timely report a breach of users’ private tweets between September 2017 and January 2019. Approximately 88,000 accounts were identified as having their tweets publicly available, despite the accounts being marked private. The €450,000 fine was calculated in accordance with EU precedent and is meant to be effective, proportionate and dissuasive to further breaches.
The EU’s landmark General Data Protection Regulation (GDPR), under Article 33(1), requires companies to notify the DPC if they discover that a breach has occurred, but Twitter did not do so. In filings with the commission, Twitter identified delays from its data protection contractors contributing to the delay in notification, but the DPC noted that the contractor’s reports did not reflect this.
The decision is notable as the first decision by a European data regulatory authority to be mediated under Article 65 of the GDPR, which provides for mediation in the case of disagreement between different supervisory authorities within the EU. The consistency mechanism provides for stable and reliable decisions between EU data regulators to ensure that businesses are able to act in compliance with the GDPR and other regulatory provisions.