This is significant event for two reasons. Firstly, it is the first time that the Irish regulator has moved to sanction a penalty against one of the larger Internet companies since GDPR became enforceable in May 2018. Secondly, the fine is far less that it might have been as GDPR states that the highest possible fines are €20m or 4% of annual global revenue for the previous financial year, whichever figure is higher. As Twitter recorded revenues of $3.46 billion (€2.8 billion) for 2019 this could have resulted in a GDPR fine of €112m. Instead the DPC, which is often criticized by data privacy groups for adapting a lenient approach to ‘big tech’ companies, opted to sanction a much smaller penalty, partly as a result of the assistance that Twitter provided during the investigation.
Following the revelation in January 2019 that some users’ private tweets had been inadvertently made public, despite using the ‘Protect Your Tweets’ service, the DPC commenced an official investigation into the the alleged breach. After the investigation a ruling was issued stating that Twitter infringed Article 33(1) and 33(5) of GDPR in terms of a failure to notify the breach on time to the DPC, and a failure to adequately document it.
Today the DPC revealed the final fine in an official press release which read: “The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure.”
Twitter admitted that the breach took placed and subsequently completely assisted with DPC inquiry. As this was a breach which impacted those living in a number of different EU member states, the co-operation and consistency provision of GDPR meant that the Irish Data Protection Commissioner, Helen Dixon was legally obliged to seek to seek the agreement of other data protection authorities before she could make any final decision. Her office circulated its draft findings to other regulators in May. However, as there was much disagreement between the different bodies it fell to the European Data Protection Board had to make the final decision.
Damien Kiernan, Twitter’s chief privacy and global data protection officer, released a statement to say that it assisted with the regulator to support its investigation. It said: “We respect the commission’s decision, which relates to a failure in our incident response process… we have made changes so that all incidents following this have been reported to the commission in a timely fashion. “We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”