Irish data watchdog fines Twitter €450,000

Twitter discovered the breach in December 2018, but didn't notify the regulator until January 2019

Ireland's Data Protection Commission (DPC) has imposed a €450,000 ($550,000) fine on Twitter, over a data breach that made some private tweets public.

The data watchdog said it was issuing the fine over Twitter's failure to notify the regulator on time, and also for failing to adequately document the breach.

This is the first time that Ireland's DPC has penalised a US 'Big Tech' firm for violating the GDPR. It is also the first time that the European Data Protection Board (EDPB) within the GPDR has been used to penalise a company in Europe.

The GDPR states that regulators in an EU member state where a firm's European headquarters are based can make decisions against the firm before referring the matter to regulators in other member states. If there is an objection from any regulator, the matter goes to the EDPB, where it will need support from two-thirds of the 27 member states.

In this particular case, the DPC initially fined Twitter - which has its Europe headquarters in Dublin - in May 2020. The case was referred to the EDPB after other member states objected to the decision. After months of arguments and discussions, the DPC's decision has now been upheld.

The security bug that bought the €450,000 fine for Twitter allowed thousands of peoples' private tweets to be made public between late 2014 and early 2019. The social media company discovered the breach in December 2018, but did not notify the regulator until 8th January 2019.

Under the bug, Twitter's "Protect Your Tweets" feature could be inadvertently disabled if a user changed the email address associated with their account. The bug only affected Android users. Twitter publicly disclosed the flaw on 17^th January 2019, after releasing a patch.

Twitter told the DPC that it could identify only about 89,000 users affected by the breach from September 2017 onward.

"We respect the commission's decision, which relates to a failure in our incident response process," Damien Kiernan, Twitter's chief privacy and global data protection officer, said in a statement, according to the Irish Times.

Kiernan added that the company has "made changes so that all incidents following this have been reported to the commission in a timely fashion".

The news comes as Twitter and Amazon announced that they have signed a multi-year agreement to run Twitter's real-time timelines on Amazon Web Services.

'This expansion onto AWS marks the first time that Twitter is leveraging the public cloud to scale their real-time service,' Amazon said. 'Twitter will rely on the breadth and depth of AWS, including capabilities in compute, containers, storage and security, to reliably deliver the real-time service with the lowest latency, while continuing to develop and deploy new features to improve how people use Twitter.'

Parag Agrawal, Twitter CTO, commented: "We are excited to work with AWS to expand the infrastructure Twitter uses to serve the public conversation as we grow globally."

"The collaboration with AWS will improve performance for people who use Twitter by enabling us to serve Tweets from data centers closer to our customers at the same time as we leverage the Arm-based architecture of AWS Graviton2 instances. In addition to helping us scale our infrastructure, this work with AWS enables us to ship features faster as we apply AWS's diverse and growing portfolio of services."