Ireland’s Data Protection Commission (DPC) has fined Twitter € 450,000 ($547,000) for violating the European General Data Protection Regulation (GDPR). It is the first time that such an administrative fine has been imposed on a big US tech company under GDPR rules.
Data Breach Stems from A Design Bug
The GDPR is a set of data protection and privacy rules introduced by the European Union (EU) in May 2018. The aim is to give EU citizens more control over their personal data. Organizations, on the other hand, must ensure that they gather EU citizens’ personal data legally and that they adequately protect this data. The rules apply to companies of any size and type, inside or outside the EU.
The DPC’s investigation commenced in January 2019 after they received a breach notification from Twitter on 8 January 2019. The data breach resulted from a bug in Twitter’s design that affected users of Android devices. If these users changed the email address linked to their Twitter account, all their protected tweets suddenly became unprotected. Consequently, the wider public was able to see all tweets without the user’s knowledge.
An external contractor overseeing Twitter’s bug bounty program learned of this problem on 26 December 2018. After further investigations, Twitter discovered that other user actions could potentially cause the same issue. They eventually traced the bug back to a code change made in 2014. At least 88,726 EU and EEA users were affected between September 2017 and January 2019. More users may have been affected, but due to Twitter’s data retention policy, previous users can no longer be identified.
Violation of GDPR Rules
The DPC’s inquiry investigated whether Twitter complied with its obligations under the GDPR. They also tried to determine whether or not an infringement had occurred. “The DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach”, said the Irish watchdog in their press release.
The Dublin-based regulator had already submitted an initial draft decision back in May. However, this draft received many objections from other regulators. Austria, Italy and Germany, for example, objected to the size of the penalty. The DPC took some of the objections into account.
1.5 Hours To Earn Back € 450,000 Fine
On Tuesday, the DPC imposed an administrative fine of € 450,000 ($547,000) on Twitter. The watchdog said this was “as an effective, proportionate and dissuasive measure.” While the sum may seem high to some, it’s actually not, when put it into perspective. Twitter needs only an hour and a half to earn the amount required to pay the fine, as privacy activist Max Schrems pointed out.
Over the summer, Max Schrems and his noyb foundation filed 101 complaints against EU and EEA websites. Under GDPR rules, regulators can fine companies up to € 20 million, or up to 4% of their global annual revenue, for violations of the rules.
Consequently, for Twitter, breaching GDPR rules could potentially attract a fine of up to $140 million on a reported $3.5 billion revenue. Yet, given the fact that the breach was unintentional and of a one-off nature, and that Twitter admitted its fault, it was unlikely that the DPC would have issued a massive fine. Nonetheless, the amount is in stark contrast with the € 100 million fine the French data protection authority (CNIL) imposed on Google for cookie violations just a week ago.
Backlog of Cases Against US Tech Firms
The draft decision in this inquiry was the first to go through the dispute resolution process since the GDPR’s introduction. It was also “the first draft decision in a big tech case on which all EU supervisory authorities were consulted”.
Moreover, there’s a backlog of ongoing cases against US technology firms. Inquiries are ongoing with Apple, Facebook, Google, LinkedIn, WhatsApp, and others, and there’s at least one other case against Twitter. Facebook will face the DPC in the Irish High Court next week regarding a DPC inquiry and preliminary decision on the transfer of millions of EU users’ personal data to the US.
Europe and the UK have also unveiled important new laws to keep US technology giants in check. In Europe, the Digital Services Act and Digital Markets Acts were published yesterday afternoon, while the UK has announced tough new rules to curb illegal and harmful content.