THE DATA PROTECTION Commission (DPC) has issued Twitter with a fine of €450,000 for its handling of a data breach under the General Data Protection Regulation (GDPR).
The DPC opened an investigation into Twitter in January 2019 after the company publicly disclosed that it had inadvertently made some users’ private tweets public.
The regulator found that the social media company failed to promptly declare and properly document the breach.
It’s the first such cross-border GDPR decision by the commission, which serves as the lead European Union privacy supervisor for a number of tech giants.
The watchdog described the fine as “an effective, proportionate and dissuasive measure”.
The regulation requires most breaches of personal data to be notified to the relevant supervisory authority within 72 hours of the controller becoming aware of the breach.
It also stipulates that they document what data was involved and how they’ve responded to the security incident. Twitter was found to have failed on both counts in this case.
GDPR allows for fines of up to €30 million or 4% of global turnover, whichever is higher, to be imposed on companies that breach the regulation.
Twitter said an unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in it notifying the commission outside of the 72 hour period.
“We have made changes so that all incidents following this have been reported to the DPC in a timely fashion,” it said.
We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur.
To embed this post, copy the code below on your site
have your say