Twitter fined €450k for breaching GDPR disclosure rules

Firm chastised over its handling of a 2018 flaw that made private tweets accessible to the public

The Irish data protection commission (DPC) has fined Twitter €450,000 (approximately £409,000) after the company alerted the watchdog to a serious flaw on its platform nearly two weeks after first discovery, well beyond the strict 72-hour notification window as established under GDPR.

The DPC began its investigation against Twitter in January 2019 after the firm notified it of a bug that exposed the tweets of users who had previously set their accounts to be ‘protected’. A fine has now been administered “as an effective, proportionate and dissuasive measure” due to violations of Article 33(1) and 33(5) of GDPR, which concern the timely and adequate notification of a data breach to a regulator.

Twitter notified the DPC about the flaw, and its potential breach of user privacy, 13 days after receiving the initial bug report on 26 December, ultimately failing to sufficiently document the nature of the breach or its implications.

Twitter received a report that if a user with a protected account changed their email address on an Android device, a bug would lead to their account being unprotected. This would mean their previously protected Tweets, which are only viewable by those the user approves to follow their account, were visible to the general public. The bug in the code was traced back to a change made in November 2014.

The severity of this issue, and that it was grave enough to warrant reporting to a supervisory authority – in this case, the Irish DPC – wasn’t appreciated until 3 January 2019, according to the regulator’s final decision. Twitter’s incident response team was immediately put into action, but it wasn't until 8 January that the Irish DPC was then notified, well beyond the 72-hour-window set out under GDPR. 

In this case, the DPC's fine reflects Twitter's failure to abide by the disclosure rules of GDPR, rather than any sanction for the exploit itself.

This is the first case of a major US tech company facing GDPR sanctions under the Article 65 mechanism, which nominates a lead supervisory authority to adjudicate on behalf of all member states.

Although companies such as Google have previously faced GDPR fines by regulators acting unilaterally, the Irish DPC has been charged with regulating violations that are vastly cross-border in nature with regards to the companies headquartered in Ireland.

As such, the regulator is currently in the process of investigating scores of complaints, including 21 cases against major tech firms as of February 2020, with more likely to be added to its workload over the course of the year.

“There has been increased pressure on the local Irish data authority to ensure that the GDPR takes a front seat in deciding on actions to be taken in the wake of the Twitter data breach,” said chief compliance officer at threat intelligence firm IntSights, Chris Strand.

“This case is also drawing an increased spotlight on how to enforce the GDPR as a baseline involving an international entity as well as the use of article 65 as a vehicle for dispute resolution, which I believe will increase the importance of the GDPR as a regulation and the guidance within. “

Featured Resources

Virtual desktops and apps for dummies

An easy guide to virtual desktop infrastructure, end-user computing, and more

Download now

The total economic impact of optimising and managing your hybrid multi-cloud

Cost savings and business benefits of accelerating the cloud journey

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

What’s next for the education sector?

A new learning experience

Download now

Recommended

Defend your organisation from evolving ransomware attacks
ransomware

Defend your organisation from evolving ransomware attacks

18 May 2021
Enabling operational resiliency with Veritas
Whitepaper

Enabling operational resiliency with Veritas

18 May 2021
Biden rescinds Trump's anti-Section 230 executive order
Policy & legislation

Biden rescinds Trump's anti-Section 230 executive order

17 May 2021
Data breach exposes widespread fake reviews on Amazon
data breaches

Data breach exposes widespread fake reviews on Amazon

7 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021