Twitter scores a first for big tech after being fined €450,000 by Ireland's data watchdog for violating the EU's GDPR

Fellow industry giants shuffle feet nervously


Ireland's Data Protection Commission (DPC) has fined Twitter €450,000 after ruling a bug in the firm's Android app that allowed users' private messages to be publicly viewed infringed the EU's General Data Protection Regulation (GDPR).

The fine is a first levied by the Irish government against one of the so-called Big Tech outfits since the European regulations were introduced in May 2018. The Emerald Isle is notoriously tech-friendly on the tax and regulation front and the new fine is unlikely to cause the micro-blogging platform sleepless nights.

"The DPC's investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure" the DPC said.

"The draft decision in this inquiry, having been submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR in May of this year, was the first one to go through the Article 65 ('dispute resolution') process since the introduction of the GDPR and was the first Draft Decision in a 'big tech' case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities," it added.

Article 33(1) requires that notification of a breach be given "without undue delay and, where feasible, not later than 72 hours after having become aware of it." Article 33(5) is more concerned with the documentation process around it. The DPC considered the infringements "to be moderately serious in terms of their gravity" and upped the amount from the previous range in the draft decision ($150,000-$300,000).

Under GDPR, companies can be fined up to 4 per cent of their turnover or up to €20m, whichever is greater.

Things kicked off at the beginning of 2019 when a flaw in the Twitter's Android app came to light that had inadvertently exposed private tweets after a "Protect your Tweets" setting was changed.

It's been a long and winding path for the case and reaching a unified agreement with other supervisory bodies across EU member states had apparently proven challenging amid attempts to harmonise interpretations of the law.

Ireland's Commissioner for Data Protection, Helen Dixon, reportedly said at the Web Summit conference in Lisbon this month that "the process didn't really work".

"It is the first time EU data protection authorities have stepped through the process so maybe it can only get better from here," she said.

To put the fine into context, Twitter reported revenues of $3.46bn in calendar 2019 and made a net profit of $1.47bn. Today's sum will barely leave a blemish on the balance sheet.

However, the company is not revelling in being the first of the tech giants to be fined under GDPR by Ireland.

"Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation. We have a shared commitment to online security and privacy, and we respect the IDPC's decision, which relates to a failure in our incident response process," a spokesperson for Twitter told The Register.

"An unanticipated consequence of staffing between Christmas Day 2018 and New Years' Day resulted in Twitter notifying the IDPC outside of the 72-hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.

"We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR's breach notification requirements. Our approach to these incidents will remain one of transparency and openness." ®

Similar topics


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022