Ireland

Twitter International Company

450,000 €

GDPR enforcement action by Data Protection Authority of Ireland on 2020-12-15.

Rank · Sector

#67

of 369 in Media, Telecoms and Broadcasting

Rank · Ireland

#17

of 36

Rank · All fines

#256

of 3,050

Case details

Authority: Data Protection Authority of Ireland
Date: 2020-12-15
Controller / Processor: Twitter International Company
Sector: Media, Telecoms and Broadcasting
Quoted Articles: Art. 33 (1), (5) GDPR
Type of violation: Insufficient fulfilment of data breach notification obligations

Summary

The Irish DPA (DPC) fined Twitter International Company EUR 450,000 for violating Art. 33 (1) GDPR and Art. 33 (5) GDPR for failing to notify the DPA in a timely manner of a data breach and not adequately documenting that breach.
The data breach concerned the privacy settings of user posts on the social media platform Twitter. There, users have the option to set the visibility of their posts to private or public. Private posts can only be seen by subscribers of the respective user profile, while public posts are visible to the public. A programming bug in Twitter's Android app resulted in some private posts being visible to the public. The DPA found that Twitter had not properly fulfilled its reporting and documentation obligations. Twitter's legal team became aware of the error on January 2nd, 2019, and it was not until January 8th that the company informed the DPC. Consequently, the company failed to inform the DPC within the 72-hour period required by Art. 33 (1) GDPR. Furthermore, it had failed to adequately document the incident in accordance with Art. 33 (5) GDPR.

Open original source Links to the regulator's original publication or another source.