Twitter Fined $550K by Ireland's Data Protection Commission for Not Properly Documenting Data Breach Case

The Data Protection Commission or DPC or Ireland has issued social media app Twitter with a fine of $550,000 or €450,000 for not being able to declare and document a data breach properly under the General Data Protection Regulation of Europe or GDPR.

Twitter fined

The decision of the commission is noteworthy as it is the first cross-border GDPR decision done by the Irish watchdog, which is the lead EU privacy supervisor for numerous tech giants. It has a backlog of more than 20 ongoing cases, including active probes of WhatsApp, Facebook, Google, Apple and LinkedIn.

The regular stated in a press release that the DPC's investigation commenced in January 2019 after a receipt of a breach notification from Twitter and the DPC has found that the social media app infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.

The press release also states that the DPC has imposed an administrative fine of $550,000 or €450,000 on Twitter as an effective, proportionate and dissuasive measure.

Europe's GDPR requires most breaches of personal data to be notified to the relevant supervisory authority within 72 hours of the controller being notified of the breach, according to CNA.

The regulation also requires that they document what type of data was involved and how they have responded to the security breach, in order that the data supervisor can review against compliance. In this case, Twitter was found to have failed on both areas.

The site TechCrunch has reached out to Twitter for a comment and asked whether the company plans to accept the decision and pay up or if it is considering legal options.

Twitter stated that since the incident, where inadequate staffing over the 2018 holiday period led to a delay in reporting the breach, it has made all the necessary incident reports to the DPC within the required 72 hour timeline.

The DPC's decision related to a breach that Twitter publicly disclosed in January 2019, when it stated that a bug in its "Protect your tweets" feature could have meant some Android users who had applied the setting to make their tweets non-public may have had their data exposed to the Internet since 2014. However, the GPDR could only apply to data the bug exposed since 2018.

Since admitting to the bug, Twitter has had a lot more issues about security, including suffering a high profile account hijacking case in early 2020, after crypto-scam-spreading hackers had network access credentials using a social engineering technique.

Ireland's DPC

The DPC continues to face criticism for the amount of time that it is taking to reach decisions on massive cross-border GDPR cases where impacts on individual rights can scale to hundreds of millions of Internet users in Europe, according to NDTV.

In 2019, commissioner Hellen Dixon stated that its first major GDPR decisions would come early in 2020. In the event that the first cross-border decision has crossed the line days before the end of 202, underlining the challenges for the bloc in effectively enforcing its digital rules against tech giants.

This article is owned by Tech Times

Written by Sieeka Khan

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics