Twitter fined by Ireland over bug that made private tweets public, in world first for EU data privacy law

Twitter has been fined over a bug that made private tweets public, in a world-first for data protection laws.

Ireland has fined the company €450,000 for its failure to quickly report the breach, which was the result of a bug in the Android app.

It is the first time that a US company has been fined under a new data privacy system instituted in the EU as part of its General Data Protection Regulation regime.

The fine related to an issue in Twitter’s app that emerged in 2019. A technical problem meant that tweets that were supposed to be protected could be viewed by the public, the Irish Data Protection Commission said.

The fine was levied in part because Twitter had broken GDPR rules by failing to notify the regulator in time and also failing to “adequately document the breach”.

“The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure,” it said.

But as significant as the judgement itself was the new way it was arrived at. Though the GDPR rules went into effect in 2018, the new judgement was the first to make use of a new “dispute resolution” process.

The rules mean that one national regulator is able to make a decision and then consult with other national regulators within the European Union. If any of those other EU regulators object to the initial ruling, the decision is then passed onto the European Data Protection Board, where it will stand if it is approved by a two-thirds majority of states.

The EDPB announced that it had approved the initial decision by the Irish regulator, meaning that the decision will stand and the fine will be imposed on Twitter.

The company said that it took responsibility for the mistake and appreciated the clarity the decision brings. It noted that the fine related specifically to Twitter’s failure to report the breach, which was the result of an “unanticipated consequence of staffing”.

“Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation," said Damien Kieran, Twitter’s chief privacy officer and global data protection officer.

"We have a shared commitment to online security and privacy, and we respect the IDPC’s decision, which relates to a failure in our incident response process. An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.  

“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”