The fine is relatively small but notable because it is the first time a US tech giant has been hit with a data protection penalty in a cross-border case in the EU. Whether it heralds the start of further similar legal action is open to debate as the case also highlights the slow pace of the EU’s enforcement process.
Ireland’s Data Protection Commission (DPC) has fined Twitter €450,000 ($546,000) over a data breach in January 2019 that exposed some supposedly private tweets from the service’s Android users.
The sanction comes after Twitter was found to have violated the EU’s General Data Protection Regulation (GDPR), which went into effect in 2018, because it failed to notify the regulator within 72 hours of discovering the breach.
The inquiry was headed by Ireland’s DPC because Twitter’s international headquarters are in Dublin.
Ireland’s DPC posted its draft decision in May as part of the GDPR’s comments process.
But because the GDPR is in force across the entire EU, several other regulators raised objections to several points in its decision, which eventually led to a dispute-resolution process.
One key objection raised was against the amount the DPC wanted to fine Twitter, the outlet notes, as the fine of €450,000 ($546,000) is well short of the 2 percent of Twitter’s global annual revenue that can be levied under GDPR rules.
The Irish regulator originally wanted to fine Twitter even less than this as it believed Twitter’s failing was unintentional, according to the Wall Street Journal, but it decided to increase the amount after consulting with its European counterparts.
Under the GDPR, regulators can fine companies up to 2 percent of their global annual revenue for failing to notify them of a data breach within 72 hours. Based on Twitter’s 2019 revenue, this could reach $69 million.
The law, however, directs regulators to take into account the gravity and duration of the violation, the type of personal information at issue and other factors.
The fact that this dispute resolution took so long and resulted in a relatively low penalty has led to criticism of the GDPR’s effectiveness and may lead some national regulators to sidestep it in future, particularly as so many US tech companies are based in Ireland, which means that the DPC would continue to lead on most future probes.
There are already signs that this is happening. Last week, France’s privacy regulator, the CNIL, fined Google and Amazon a combined $163 million for violations of a separate rule called the ePrivacy directive.
Social media users were quick to point out the small size of the fine relative to Twitter’s revenue.
Others noted the number of EU member state regulators who opposed handing Twitter such a small fine.