- The Irish Data Protection Commission fined Twitter $546,000 for violating the EU’s GDPR privacy law and failing to notify the regulator of a data breach within 72 hours of one occurring.
- The case pertains to a breach during the 2018 holiday period that left users’ private tweets exposed, an incident for which Twitter told Business Insider it takes responsibility.
- The EU’s GDPR privacy law, passed in mid-2018, mandates that companies handling EU citizens’ data ring the alarm within 72 hours of discovering a data breach.
- News of the fine also comes after the US Federal Trade Commission ordered Twitter and seven other tech companies to disclose how they collect and track people’s personal information. They have 45 days to respond from the day they received the order.
- Visit Business Insider’s homepage for more stories.
Twitter is the first US company to be fined for violating the European Union’s relatively new GDPR privacy law, The Wall Street Journal reported on Tuesday.
Ireland’s Data Protection Commission said Tuesday that it’s fining Twitter $546,000 for failing to note or alert regulators within 72 hours of discovering a data breach over the 2018 holiday period, which left some users’ private tweets vulnerable. The General Data Protection Regulation (GDPR) includes a mandate that if companies that handle EU citizens’ data realize there has been a breach, they must inform those affected within 72 hours.
In a statement to Business Insider, Twitter’s Chief Privacy Officer Damien Kieran said the company takes “responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur.” He also said the issue was the result of an “unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day.”
The company also said all reports have been made within the required 72-hour period since the incident occurred.
The fine comes after officials deliberated for nearly two years over this specific Twitter case. Helen Dizon, head of the Irish Data Protection Commission, told the outlet that the process was “too long,” but it still marks the first time that EU authorities have completed such a process. Twitter said it fixed the issue in January 2019, as the WSJ notes.
The EU's GDPR privacy law was passed in May 2018 and marked a sweeping step toward holding tech companies more accountable. The law includes a series of stipulations, like granting customers the right to have their data deleted if they ask and requiring companies to inform people on how or why their data is being processed.
Twitter is also wrapped up in an order issued Monday by the US Federal Trade Commission. The federal agency is ordering the company, as well as Amazon, Facebook, Snap, and five others, to disclose how they collect and track people's personal information online. The companies have 45 days to respond to the order from the day that they received it.
The FTC's order signals a move toward a tougher crackdown of the tech industry, which has largely enjoyed little oversight in its history.