A fine got announced against the Twitter International Company (Twitter) on December 15, 2020, by the Irish Data Protection Commission (DCP). An investigation took place for a breach was the result of a bug in the design of Twitter after a fine of €450,000 was placed against Twitter. It was under the EU General Data Protection Regulation (GDPR) that the fine got issued which was also the largest till date by the DPC of Irish besides being the first against an organization from the United States.
Protected tweets got changed to unprotected ones and made them available widely to the public without the knowledge of the user by the bug in question. Twitter users on Android devices who changed the email address in connection with the accounts of the Twitter were also affected by the bug. According to the estimations of Twitter, 88, 726 users in Europe were affected between September 5, 2017, and January 11, 2019. It was on December 26, 2018, that the bug got discovered.
Investigation and Resolution
The breach of Twitter has started the investigation by the DCP in January 2019 under section 110 of the Irish Data Protection Act 2018. In May 2020, as required by GDPR’s Article 60, the draft decision got provided by the DCP to the concerned supervisory authorities. The proposed penalty of the DPC which was within the range of €135,000-€275,000 was raised objections as to the insufficiently dissuasive nature and size by the Supervisory authorities in Germany, Austria, and Italy. However, the same led to the triggering of the dispute resolution procedure of the GDPR by the DPC and reference of the matter to the European Data Protection Board along with the objections it was unwilling or unable to resolve.
The matter was evaluated by the EDPB and issued on November 9, 2020its binding decision. The order required the DPC to for re-assessment of the relied elements on which they seeks to calculate the fixed fine amount for imposing on Twitter, and for its Draft Decision amendment with the fine level increasing so as to ensure it fulfil its role as a corrective measure.
DPC identified the alleged failures were an infringement of the Twitter of Articles 33(1) and (5) of the GDPR that provides for documentation and data breach notification. According to DCP, the breach was failed to notify by Twitter to the DPC within the deadline of 72-hour and failure of documenting the breach adequately. Twitter stated that the breach notification got delayed to the DPC within the required timeframe is due to the failure of the processor by Twitter International Company, Twitter, Inc., to notify the potential breach when it became aware of it to DPO of the Twitter International Company.
DPC while alleging the failure of the Twitter for breach documentation in accordance with GDPR’s Article 33(5) stated that documentation of the breach by the company did not contain sufficient information verify the compliance of the Twitter by DPC with GDPR’s Article 33. Furthermore, DPC said that Twitter’s incident report did not contain the issues adequate explanation for causing the notification’s delay to the DPC nor addressed the assessment of the Twitter as to risks to those users which got affected as a result of the breach.