Irish data regulator DPC increases Twitter’s GDPR fine for tweeting bug, after watchdogs in Austria, Germany, Italy argued it was too low
Twitter has been fined by the Irish data protection watchdog, after a bug caused some private tweets to be made public.
The issue occurred back in 2019, when a bug in Twitter’s Android app caused some users’ protected tweets to be made public.
The Data Protection Commission (DPC), the Irish regulator responsible for policing Twitter (because of its European HQ in Ireland), initially opted to fine Twitter between $150,000 to $300,000, but other European data protection watchdogs felt this was too low, Reuters reported.
Twitter’s data protection gaffe took place whilst the EU’s General Data Protection Regulation’s (GDPR) were in effect.
But the DPC fine is the first time a European watchdog has fined an American company using a new dispute resolution system, under which one lead national regulator makes a decision before consulting with the other EU national regulators.
The Austrian, Italian and German data regulators felt the DPC fine issued in May, was too low, which in triggered a referral to the dispute resolution body, the European Data Protection Board (EDPB).
In particular it was levied due to Twitter’s “failure to notify the breach on time to the DPC and a failure to adequately document the breach,” the DPC said in a statement, calling the punishment a “proportionate and dissuasive measure”.
The DPC under the GDPR rules, has the ability to fine a company 20m euros ($22m) or up to 4 percent of the firm’s global turnover.
In the end it decided to fine Twitter 450,000 euros ($546,940).
“The Data Protection Commission (DPC) has today announced a conclusion to a GDPR investigation it conducted into Twitter International Company,” the Irish regulator announced. “The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.
“The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure,” it added.