The Data Protection Commission (DPC) of Ireland threatens Twitter with a fine of $550,000 or €450,000 for failing to adequately declare and register a data violation under the General Data Protection Law of Europe or the GDPR.
The Commission’s ruling is notable as it is the Irish watchdog’s first cross-border GDPR decision, and is the EU’s main protection regulator for several technology giants. It has a backlog of more than 20 cases pending, including WhatsApp, Facebook, Google, Apple, and LinkedIn active probes.
The DPC frequently reported in a press release that the inquiry of the DPC started in January 2019 following receipt of a notice of a violation from Twitter and the DPC discovered that the social networking app has infringed Article 33(1) and 33(5) of the GDPR by failing to inform the DPC of the infringement on time and by failing to properly log the infringement.
The press release also notes that, as an appropriate, proportionate and dissuasive action, the DPC has placed on Twitter an administrative fine of $550,000 (€450,000).
Europe’s GDPR asked Twitter to disclose its most personal data violations to the appropriate data supervisory authority within 72 hours.
For the data supervisor to search against compliance, the law also asked Twitter to log what sort of data involved and how they reacted to the security violation. In this situation, Twitter struggled to follow all these.
Twitter reported that after the incident, where insufficient staffing contributed to a pause in disclosing the violation during the 2018 holiday season, it has made all the requisite incident notifications to the DPC within the 72-hour timeframe needed.
The judgment of the DPC referred to an infringement revealed publicly by Twitter in January 2019, when it claimed that a flaw in its “Protect your tweets” function may have implied that since 2014, any Android users who had applied the setting to make their tweets non-public could have leaked their data to the Internet. However, the GPDR has only been willing to apply to data exposed by the error since 2018.
Twitter has seen several protection problems after accepting the flaw, including enduring a high profile account hijacking event in early 2020, after crypto-scam-spreading hackers had network access passwords utilizing a technique of social engineering.
The DPC of Ireland
For as long as it takes to make judgments on large cross-border GDPR cases where impacts on human rights will reach hundreds of millions of Internet users in Europe, the Ireland’s DPC tends to face scrutiny.
Commissioner Hellen Dixon announced in 2019 that his first big decisions on the GDPR will be taken early in 2020. When a few days before the end of 2022, the first cross-border ruling crossed the line, it underlines the difficulties confronting the bloc in successfully imposing its digital laws against tech giants.