Twitter hit with €450,000 GDPR fine nearly two years after disclosing data breach

From The Verge: Ireland’s Data Protection Commission (DPC) has fined Twitter €450,000 (around $546,000) over a data breach it disclosed back in January 2019, the regulator announced today. The security flaw exposed some supposedly private tweets from the service’s Android users for over four years. Twitter was found to have violated the EU’s General Data Protection Regulation (GDPR) because it failed to notify the regulator within 72 hours of discovering the breach, The Wall Street Journal reports.

The fine is notable because it’s the first time a US tech giant has been hit with a GDPR fine in a cross-border case, meaning one in which the Irish regulator consulted its EU counterparts as part of the decision. The investigation was headed by Ireland’s DPC because Ireland is where Twitter’s international headquarters are based.

This cross-border process is part of the reason why it’s taken so long to issue this fine. Ireland’s DPC posted its draft decision back in May as part of the GDPR’s comments process. However, several other regulators raised objections to several points in its decision, which eventually led to a dispute-resolution process.

One key objection raised was to the amount the DPC wanted to fine Twitter, the WSJ reports. A fine of €450,000 is well short of the 2 percent of Twitter’s global annual revenue that can be levied under GDPR for failing to properly disclose a data breach. The Irish regulator originally wanted to fine Twitter even less than this, but through the dispute-resolution process, it was told to increase the amount. The DPC had argued for a smaller fine because it believed Twitter’s failing was through negligence, rather than being intentional or systematic.

View: Full Article