Two years after its data breach, Ireland’s Data Protection Commission (DPC) has levied a €450,000 fine, roughly $547,000 in recent rates. This penalty comes after the social media platform failed to disclose its breach in a timely manner in accordance with the General Data Protection Regulation (GDPR).
Ireland’s watchdog made the announcement on Tuesday, December 15, 2020. According to Tech Crunch, this is a revolutionary step taken by the Irish regulator as it has imposed its first fine against a company in the United States, making it a cross-border case.
The decision comes after a long period of the cross-border process after making comments and a draft back in May. Regulators that objected to several aspects of the decision led to a delay in the timeline. The Wall Street Journal states that the final decision was only issued in early November 2020.
On its website, the Irish regulator said, “The DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate, and dissuasive measure.”
The Wall Street Journal said that Twitter failed to notify the Irish watchdog within 72 hours of discovering the data breach. Apart from this, Tech Crunch states that the GDPR requires companies to keep detailed documentation of the incident.
The violation imposed against the social media platform pertains to a security flaw in its system. Tech Crunch revealed that private tweets from Android users have been reportedly exposed over the course of four years.
This security flaw relates to a vulnerability found within the ‘Protect your tweets’ feature and Android users who have applied the setting to make their tweets hidden from the public.
In a statement by chief privacy officer Damien Kieran, the delay of the notification stemmed from the “unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day.” This led the company to disclose the incident come January 2019.
Following this, Kieran states that they “have made changes so that all incidents following this have been reported to the DPC in a timely fashion.” Twitter is also sorry for its mistake and has since taken responsibility for the breach and its untimely notification.
Apart from Twitter, the Irish regulator is slated to go over more than 20 cases from various tech firms. These include the likes of Apple Inc., Facebook, Microsoft, LinkedIn, WhatsApp, and many others.