The Irish Data Protection Authority Imposes Its First Fine on a Multinational Tech Firm

On December 15, 2020, the Irish Data Protection Commissioner (DPC) has announced a €450,000 fine against Twitter for its violations of Article 33(1) and (5) of the GDPR.  The penalty is the first GDPR fine on a multinational tech firm imposed by the DPC.

The fine stems from the Twitter’s January 2019 notification of the data breach where some private tweets were made publicly available as a result of a bug that affected the “Protect my tweets” function on some Android phones. As a result of the bug, some users may have unwittingly had their tweets exposed publicly from 2014.

Article 33(1) of the GDPR requires controllers to notify the supervisory authority of serious personal data breaches “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”  Article 33(5), in turn, requires controllers to “document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.”  The DPC concluded that Twitter infringed these provisions by failing to notify the breach on time to the DPC and by failing to adequately document the breach.  According to Twitter, a delay in the reporting was caused by a staffing issue in the period between Christmas Day 2018 and New Years’ Day.

Under the GDPR dispute-resolution procedures, a fine imposed by the DPC, a lead supervisory authority, required approval of other European Data Protection Authorities.  Since the DPC’s initial draft decision was not jointly agreed upon by the other Authorities, it had to go through the Article 65 dispute resolution process, the first time such process was invoked under the GDPR.

Improve customer trust with Clarip’s privacy governance platform.  Schedule a demo of the Clarip data mapping software for GDPR by calling 1-888-252-5653.