This is first time that the Irish regulator applied a GDPR penalty against one of the Internet giant companies since GDPR became active on May 25 2018. In addition to this the fine will be seen as quite lenient due to the fact that it could have been as high as €112m as the legislation states that the highest possible fines are €20m or 4% of annual global revenue for the previous financial year. Twitter recorded revenues of $3.46 billion (€2.8 billion) for 2019.
The fine was sanctioned due to Twitter failing to notify the DPC, in January 2019 that some users’ private tweets had been inadvertently made public, inside the required time limit specified by GDPR. Upon discovery, the DPC began an official investigation which led to a ruling being issue stating that Twitter breached Article 33(1) and 33(5) of GDPR in terms of a failure to notify the breach on time to the DPC, and a failure to adequately record it.
The DPC said: “The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure.”
Damien Kiernan, Twitter’s chief privacy and global data protection officer, released a statement to say that it assisted with the regulator to support its investigation. It said: “We respect the commission’s decision, which relates to a failure in our incident response process… we have made changes so that all incidents following this have been reported to the commission in a timely fashion. “We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”