Seems like Twitter’s is ending 2020 on a bitter note! From multiple data breaches to a series of celebrity account hacks, the social networking giant suffered multiple challenges in 2020. And the latest fine from Ireland’s data regular adds to its woes. On December 15, the Irish Data Protection Commission (DPC) fined Twitter €450,000 ($547,000) as an “effective, proportionate, and dissuasive measure” for a data breach that occurred in January 2019. The data leak was a result of a vulnerability that made users’ private tweets public.
The DPC’s investigation found that Twitter infringed Article 33(1) and 33(5) of the GDPR guidelines by delaying notifying the breach on time to the authorities.
“The draft decision in this inquiry, having been submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR in May of this year, was the first one to go through the Article 65 (dispute resolution) process since the introduction of the GDPR and was the first Draft Decision in a big tech case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities,” the DPC said in a statement.
— Data Protection Commission Ireland (@DPCIreland) December 15, 2020
As per the GDPR guidelines, organizations are required to notify about any data breaches, to the respective data regulators, within 72 hours after becoming aware of the incident. It is also mandatory for data breach victims to document what data has been compromised and how they responded to it.
Commenting on the data breach fine, Twitter’s Chief Privacy Officer Damien Kieran said, “Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation. We have a shared commitment to online security and privacy, and we respect the IDPC’s decision, which relates to a failure in our incident response process. An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72-hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.
We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness,” Kieran added.