The Irish Data Protection Commission (DPC) has concluded its GDPR investigation into Twitter and has concluded the microblogging social media network was in violation of Article 33(1) and 33(5) of the GDPR and has imposed a financial penalty of €450,000 ($547,000.
The EU’s General Data Protection Regulation requires companies to report data breaches to the appropriate Data Protection Authority within 72 hours of the discovery of a data breach. Twitter discovered it had suffered a breach and reported the incident to the DPC on January 8, 2020, outside of that 72-hour reporting deadline. The DPC also determined Twitter did not adequately document the breach.
The breach in question related to platform users who had opted to have their Tweets protected. Users can decide whether to have Tweets protected or unprotected when they register their accounts. Protected Tweets can only be viewed by the user’s followers on the platform and are not publicly accessible. Twitter discovered a bug in their platform meant that if a user changed the email address registered with their account on an Android device, their protected tweets became unprotected and were publicly viewable.
Twitter determined that 88,726 EU and EEA users were affected by the bug between 5 September 2017 and 11 January 2019, although Twitter was unable to determine if individuals were affected prior to September 5, 2017. The bug was reported to Twitter, through its bug bounty program, on December 26, 2018 and was found to have been introduced on 4 November 2014.
Twitter’s Chief Privacy Officer explained the reason for the delayed breach notification, saying “An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the DPC outside of the 72-hour statutory notice period.”
Twitter has since made changes to ensure that any further incidents are reported within the 72-hour time frame required by the GDPR, regardless of the time of year when a breach is discovered.
While the fine is certainly large, it is worth bearing in mind that the maximum financial penalty for a GDPR violation is €20 million or 4% of global annual turnover, which ever is greater. The maximum possible fine based on Twitter’s global turnover in 2019 is $138 million, so the fine represents just 0.016% of is global annual turnover or less than 2 hours revenue for Twitter.