Twitter has been fined over half a million dollars for violating European Union data protection laws in the first EU-wide privacy case.
The EU’s chief data watchdog today announced that it has issued an administrative fine of 450,000 euros ($547,000) to the social media titan for being too slow to notify Android phone users located across the EU of a data breach that threatened their privacy.
A further finding of the investigation into the breach by Ireland’s Data Protection Commission (DPC) was that Twitter failed to adequately document the security incident.
The DPC’s investigation into the incident commenced in January 2019 following receipt of a breach notification from Twitter. On Tuesday, the DPC stated that Twitter “infringed Article 33(1) and 33(5) of the General Data Protection Regulation (GDPR) in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.”
Under EU data protection rules, it is a requirement to report a breach within 72 hours of discovery.
The commission described the not insignificant financial penalty levied on the American company as “an effective, proportionate and dissuasive measure.”
According to the Binding Decision of the Board, the data breach arose from a bug in Twitter’s design that caused the protected tweets of Android device users to become unprotected without their consent if users changed the email address associated with their Twitter account.
The bug, which affected 88,726 EU and EEA users between September 2017 and January 2019, was traced back to a code change made on November 4, 2014. It was discovered on December 26, 2018, by the external contractor managing Twitter’s bug bounty program.
Referencing the significance of the Twitter inquiry, the DPC stated: “The draft decision in this inquiry, having been submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR in May of this year, was the first one to go through the Article 65 (‘dispute resolution’) process since the introduction of the GDPR and was the first Draft Decision in a ‘big tech’ case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities.”