Last week, after an investigation that lasted almost two years, the Irish Data Protection Commission (DPC) found that Twitter failed to comply with the General Data Protection Regulation—a European Union law that aims to protect data privacy and hold companies accountable for breaches.
The DPC has now announced that it’s fining Twitter, but not very harshly; the regulator is asking for €450,000, or about $546,000. That represents about 0.016% of Twitter’s $3.46 billion revenue for the fiscal year 2019.
Twitter disclosed data breaches to the DPC in January 2019, but the office has said that it wasn’t the breaches themselves that got Twitter fined, as much as the company’s failure to properly report and document them within the 72-hour window mandated by the GDPR.
The breaches stemmed from a bug that could make Android users’ tweets public, even if they wanted them private.
The relatively small fine is a sign that the DPC doesn’t think Twitter’s violations are a particularly big deal, though the office has called the amount “effective, proportionate and dissuasive.” According to GDPR rules, regulators can ask for up to 4% of a company’s annual revenue for more serious offenses, and up to 2% for failing to document a breach.
The GDPR was implemented in the European Union in 2018, but this was the first investigation to undergo a “dispute resolution” process, which involves other regulating bodies in the EU. This resulted in some tension over the size of the fine: the Wall Street Journal reported that German regulators were pushing for an amount between €7 million and €22 million.
Twitter’s official communications account wrote that “an unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying @DPCIreland outside the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to them in a timely fashion.”
An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying @DPCIreland outside the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to them in a timely fashion.
— Twitter Comms (@TwitterComms) December 15, 2020
“We’re sorry it happened,” continued the statement.
This isn’t Twitter’s first run-in with the law over issues surrounding data privacy; the company’s commitment to security came under scrutiny this past summer, when the site was hacked by a 17-year old Bitcoin scammer.