GDPR Fines Twitter
Roughly three weeks ago, experts warned that agencies attempting to enforce General Data Protection Regulation on the big tech industry would have to step up its game. Just last week, GDPR caught its first big fish.
On December 15, Twitter was fined about $547,000 over a data breach by Ireland’s Data Protection Commission, specifically for failing to promptly declare and properly document a data breach under Europe’s GDPR.
The decision is newsworthy because it is the first cross-border GDPR decision by the Irish watchdog agency, which is the lead EU supervisor for many tech giants. DPC has active investigations into Facebook, WhatsApp, Google, Apple and LinkedIn, as well.
DPC began investigating Twitter in January 2019 following a breach of notification from Twitter. It was determined that Twitter infringed Article 33(10 and 33(5) of the GPR in terms of failure to notify the breach on time to the DPC and a failure to adequately document the breach.
GDPR requires most personal data breaches to notify the relevant supervisory authority within 72 hours of the controller becoming aware of the breach. The regulation also requires they document what data was involved and how they’ve responded to the security incident in order that the relevant data supervisor can check against compliance. In this instance, Twitter failed on both counts.
Twitter attributed the compliance failure to inadequate staffing over the 2018 holidays, which led to the delay in reporting the breach. Twitter publicly disclosed in January 2019 that its “Protect your tweets” feature could have meant some Android users who’d applied the setting to make their tweets non-public could have had their data exposed to the public Internet since as far back as 2014.
Some privacy advocates have called the $547,000 fine a slap on the wrist considering the social media giant can earn that much revenue in roughly 90 minutes.
That fine may represent chump change for Twitter, but it could probably take down many of the SMBs 2W Tech works with. Don’t let GDPR or any of your other regulatory obligations bring you down. 2W Tech’s Cybersecurity Compliance Program will help you get your compliance needs in order no matter what industry you’re in. Contact us today to get started.