Twitter Fined $547,000 Under GDPR for 2018 Data BreachPenalty Marks First Time Any US Tech Firm Penalized Under EU's Privacy Regulation
For the first time, a U.S. technology firm has been fined under the EU's General Data Protection Regulation. Ireland's Data Protection Commission on Tuesday hit social media giant Twitter with a 450,000 euros ($547,000) fine for failing to report and document a data breach within 72 hours, as required under GDPR.
In 2018, a bug in Twitter's design specific to Android devices inappropriately exposed protected messages from 88,000 users, the commission says.
The commission says that Twitter reported that data exposure in January 2019 - it was discovered on Dec. 26, 2018 - at which time the regulatory agency began its investigation into the incident.
The DPC took the lead in the investigation because Twitter's European operation is headquartered in Ireland.
"The DPC has imposed an administrative fine of 450,000 euros on Twitter as an effective, proportionate and dissuasive measure," writes Helen Dixon, Ireland's commissioner for data protection.
Twitter noted that it did work closely with the DPC and respected the commission's decision on the fine.
Twitter worked closely with the Irish Data Protection Commission (@DPCIreland) to support their investigation. We have a shared commitment to online security and privacy, and we respect their decision, which relates to a failure in our incident response process.— Twitter Comms (@TwitterComms) December 15, 2020
"This is a significant step and tells many of the firms based in Ireland that the DPC is serious about its obligations. Some may argue that the fine was too low, however, I view it as a warning shot to Twitter that any similar breaches in the future will be dealt with more harshly," says Brian Honan, CEO of Dublin-based BH Consulting.
Although the case marks the first time a U.S. technology firm has been fined under GDPR, other American firms have been fined, albeit as a result of investigations run by other countries in Europe. Sanctioned organizations include Marriott Hotels, which recently was fined $23.8 million by the U.K.'s privacy watchdog, and Ticketmaster, which was fined $1.7 million, also by the U.K. Both of those fines were determined in consultation with privacy authorities in EU member states.
Twitter Blames Personnel Shortage
Twitter blamed the reporting delay on staffing issues in December 2018.
An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying @DPCIreland outside the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to them in a timely fashion.— Twitter Comms (@TwitterComms) December 15, 2020
Due to the bug in the Twitter app for Android, if a user changed the email address associated with their Twitter account, any protected tweets became unprotected tweets and therefore accessible to the public - and not just a user's followers - without the user's knowledge, the DPC's report states.
Debate Over Low Level of Fine
The maximum penalty for violating GPDR is 20 million euros ($23 million) or 4% of an organization's annual global revenue - whichever is higher.
A deciding factor in setting the fine in this case was that Twitter International Co., which manages Twitter for the EU, was directly responsible for the breach, and not the much larger San Francisco-based Twitter Inc., Dixon says.
"When applied here in the context of the GDPR though, it is clear that TIC, as the sole independent controller of personal data of EEA data subjects, enjoys independence in respect of decisions about the purposes and means of processing," she says.
The DPC had originally intended to fine TIC $164,000 to $334,000. But some other EU member states objected, demanding a larger fine, and for the first time ever, initiated a dispute resolution process, as enshrined in GDPR. This sees the case get referred to the independent European Data Protection Board, which has a remit to ensure that GDPR gets consistently applied.
The board concluded that Twitter's Ireland-based operation and its parent company, TIC, operate in a co-dependent fashion, so the parent company’s revenue should be taken into consideration when setting the fine.
In response, the DPC increased the amount to $547,000.
Johnny Ryan, a senior fellow with the Irish Council for Civil Liberties, says multiple board members "took issue" with the penalty.
Maximum fine in Twitter’s case is 60$M.— Johnny Ryan (@johnnyryan) December 15, 2020
DPC proposed fine of 150-300$K.
But other enforcers said no. @EU_EDPB made binding decision: DPC must set a bigger fine to discourage Twitter from future breaches.
DPC made a small increase 450€M.
For context, Germans wanted 7-22$M. pic.twitter.com/Q4AraN0pdI
For example, Ryan said that German regulators were pushing for a fine of $7 million to $22 million.