Credits: Wikimedia Commons

Ireland’s Data Protection Commission (DPC) has fined Twitter with € 450,000 since it failed to quickly declare and properly document a data breach under Europe’s General Data Protection Regulation (GDPR). This makes Twitter the first U.S. tech company to get issued with a fine under the new privacy laws of the European Union, ever since they were introduced two-and-a-half-years ago. It is also the first cross-border case.

“The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure,” the press release from the regulator reads.

The case started from a security gap that Twitter said it fixed in January 2019, which over a period of more than four years, exposed the private tweets of some users.

The GDPR requires most breaches of personal data to be informed to the relevant supervisory authority within 72 hours of the controller becoming aware of the breach. The regulation also requires the company to document what data was involved and how it has responded to the security incident, so that the relevant data supervisor can check against compliance. Twitter was found to have failed on both counts.

“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers,” said Damien Kieran, Twitter’s chief privacy officer.

This is the first case concerning privacy breaches in Ireland involving big U.S. tech companies to actually come to fruition. Many other companies such as Facebook Inc., Apple Inc. and Alphabet Inc.’s Google have also seen cases registered against them, and with the verdict of the Twitter case out, many of these companies could be looking for their own results in the near future.

It has taken the Ireland’s data commission nearly two years to come at a conclusion to the Twitter case. The delay was caused thanks to the commission and its counterparts incessantly quarreling over the jurisdiction, investigatory scope, and the amount of fine. This delay has led to many of the privacy activists and EU privacy regulators getting frustrated.

The head of the Irish Data Protection Commission, Helen Dixon, who is in charge of enforcing the GDPR for Google, said that GDPR enforcement and power sharing is still in development, and that her office has been handling its cases meticulously to make sure that its decisions stand up to expected court challenges. She has expressed dissatisfaction with the speed at which the investigation has progressed, but also expressed hope as this is the first time that the EU data-protection authorities have stepped through the process.