Bringing an end to a case that was nearly two years in the making, Twitter will pay a GDPR fine of €450,000 (about $546,000) in the first cross-border enforcement action brought against a tech giant.
The fine stems from a data breach discovered back in January 2019, involving a bug that exposed certain protected tweets to the general public that was believed to have been in place since late 2014.
Twitter hit with first cross-border GDPR fine, though amount is unimpressive
The amount of the GDPR fine is not particularly noteworthy when stood up next to Twitter’s annual revenue of nearly $3.5 billion. However, it was also a relatively minor issue in that it did not disclose any personal information that the data subject did not voluntarily put into a protected tweet.
The Irish DPC issued the following statement on the fine: “The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure.”
In a statement to TechCrunch, Twitter took responsibility for the breach and appeared to accept the decision, giving no indication that it intended to bring a legal challenge or appeal.
Reason for GDPR fine
The bug that prompted the GDPR fine is thought to have existed from about November 2014 until early 2019. Twitter allows users to make tweets private via the “protect your tweets” feature, which will cause them to only be displayed to approved followers of the account. Some users of Twitter’s Android app had their protected tweets exposed to the public during this timeframe. Non-followers were able to view these tweets in some cases, and they were also indexed by search engines such as Google and could pop up in search results. It does not appear that this happened to every user of the Twitter Android app, but the social media giant did not have an estimate as to how many were affected. The bug did not impact those who use Twitter via a web browser or through the iOS app.
The central determining factor in the GDPR fine appears to be the fact that Twitter did not disclose the breach within 72 hours of discovery. The company reportedly discovered the breach during the 2018 Christmas holiday period, but did not disclose it to European authorities until early January 2019. Twitter claimed that staffing issues between Christmas Day and New Years Day were the cause of the reporting delay.
The investigation time of nearly two years is becoming an expected standard from Ireland’s data protection commission, which tends to default to taking the lead on cross-border cases involving tech giants since so many of them have their EU headquarters in Dublin. The original countries that the complaints are received in remain involved and ultimately participate in the final determination of GDPR fines, something that is reportedly leading to delays due to inter-department disagreements and squabbles. The Irish DPC is also backlogged with investigations, as nearly all of the big names in tech now have some sort of data privacy action against them in the pipes.
Size of Twitter GDPR fine
One of the central disputes in this case was the GDPR fine amount. The Irish DPC reportedly wanted an even smaller fine than the one that was eventually settled on, believing that the incident was due to simple negligence rather than being an intentional or systematic issue. Other regulators argued that the fine should be more substantial. Germany reportedly asked for a fine amount between $7 and $22 million USD. The ultimate fine amount was determined by a formal dispute resolution process, the first time this had been undertaken by the EU’s various data protection authorities.
Stephen Cavey, Co-founder and Chief Evangelist at Ground Labs, commented on what lessons organizations in general might draw about GDPR fines from this pioneering decision: “Whilst the level of fine is in dispute amongst different EU data protection commissioners, it is confirmation that regardless of size or notoriety, organizations continue to struggle with GDPR compliance. This is not the first, or the last, time we’ll see a tech giant face GDPR penalties as they are often targeted in an effort to set an example of enforcement, but everytime it occurs, organizations should self-reflect on whether they are truly in compliance with the GDPR — or if they risk becoming a similar news headline … Compliance with GDPR is not a one-size-fits-all approach. Every company needs to have a strategy that is aligned to their specific business along with clear visibility into how they go about collecting, processing, disclosing, storing and deleting data, as well as a clear incident response procedure to handle any resulting data breach.”
On the topic of regulation, this decision comes as the EU rolls out new legislation that puts an added layer of regulation on social media sites and various types of online platforms. The Digital Services Act package is specifically targeted at large platforms that have become *de facto* gatekeepers for the publishing of content online. The final plans have yet to be published, but the early drafts have named measures that would strongly impact tech giants such as Twitter, Facebook and Google: forbidding automatic login to multiple services at once, banning platforms from preferential promotion of their own related services, and even forcing businesses to share certain types of commercial data. Platforms would also be required to improve their reporting and dispute resolution processes in various ways such as the use of out-of-court mediation agencies and more prompt handling of internal complaints.
The United Kingdom is also weighing a new online safety bill to be introduced in 2021, which would add fines of up to 10% of annual turnover to the existing GDPR-compatible regulations for incidents in which content is published that harms children. This includes not just the protection of at-risk children, but also the general publication of material that might be harmful to a child if viewed such as videos of violent deaths or any type of content that promotes suicide or self-harm.