In the first major tech GDPR case, Twitter has been fined €450,000 by the Irish Data Protection Commissioner (DPC) for privacy breaches. This is the first time a multinational tech firm has been held to account by the Irish regulator since GDPR was introduced. The penalty was issued as Twitter failed to promptly declare and properly document a data breach.
The Irish Data Protection Commissioner is the lead EU privacy supervisor for several tech giants. And this case could be significant as there is a backlog of investigations against the likes of Facebook, WhatsApp, Google, Apple, and LinkedIn (amongst others). Facebook has said that it has put aside €302 million for potential regulatory fines.
What happened in this case?
The DPC began investigating this case after Twitter notified it that some private tweets were publicly available. The bug in the ‘protect your tweets’ feature meant that some Android users who’d applied the setting may have had their data exposed to the public. These users had all changed their email address during the breach period.
The fault could have been in place since 2014, but Twitter doesn’t keep logs that far back. Certainly, the fault occurred between 5 September 2017 and 11 January 2019 at the very least.
88,726 Twitter users in the EU are affected, but there is likely to be significantly more.
Twitter publicly disclosed the breach in mid-January. And, while the regulator does not believe that the original violation was especially serious, it has held the tech giant to account for lack of haste in notifying the DPC about it. Under GDPR, organisations are legally obligated to inform the relevant supervisory authority of most breaches of personal data within 72 hours. GDPR also requires organisations to document what data was involved in the breach, and how they responded to the security incident. Twitter failed on both counts.
While other European regulators disagreed with the scale of the fine, the DPC said the €450,000 penalty was an “effective, proportionate and dissuasive measure”.
What has Twitter said?
Twitter is blaming the reporting error on a staffing mix-up. In a statement, it said:
“An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying [the Irish Data Protection Commissioner] outside the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to them in a timely fashion,” a spokesperson for the tech company said. “We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We’re sorry it happened.
Setting an example
Speaking about the Irish DPC’s decision, Kingsley Hayes, Head of Data Breach at Keller Lenkner UK, said:
“The fine could be game-changing when it comes to big tech and personal data. It demonstrates that the Regulator is not afraid to hold the likes of Twitter to account for breaches of data protection law- even if a breach is not thought to be hugely damaging to the data subjects. The considerable use of social media by prospective employers and recruiters for vetting candidates means that in reality users could have failed job applications without realising or knowing it.
“With other large tech companies such as Google and Facebook having large operations in Dublin, Twitter is unlikely to be the last of the big players to be made to pay the price for failing to uphold its data protection obligations.”
Have you been affected by the Twitter data breach?
If you were a Twitter user (Android) during the breach period, and your private tweets were made public, you might have a claim for compensation.
At Keller Lenkner UK, we are registering people in England & Wales who have been affected by this breach and who want to get justice.
Register with us and tell us if you experienced any negative consequences which you believe were a result of this breach. For example, if you applied for jobs but were unsuccessful as a result of a social media check, or if you suffered any online abuse for tweets that were made public?