Twitter has been fined €450,000 (£400,000) by the Data Protection Commission in Ireland for breaking Europe’s GDPR data privacy rules.
It’s the first time the EU regulator has penalised a big US tech firm under GDPR legislation.
It ruled that Twitter failed to notify it within 72 hours after identifying a data breach in January 2019, and it also did not adequately document what had happened.
Twitter has accepted responsibility.
In a statement, the firm blamed “an unanticipated consequence of staffing” during the period between Christmas Day 2018 and 1 Jan 2019 for its failure to comply with notifying the regulator within 72 hours of discovering the breach.
“We respect the IDPC’s decision, which relates to a failure in our incident response process,” said Damien Kieran, Twitter’s chief privacy officer and global data protection officer.
The IDPC said it believed the fine was “an effective, proportionate and dissuasive measure”.
It related to a bug affecting Android users who had made their tweets private – it meant that if they made some changes to their account, their tweets could have been made public in error. The bug dated back to 2014, the firm said at the time.
It was disclosed in January 2019 and the DPC began its investigation shortly afterwards.
Darren Wray, of privacy firm Guardum, said the penalty was a sign that the teeth of the GDPR were “getting sharper”.
“This case should send a message to large tech firms that they need to take their data privacy responsibilities very seriously,” he said.
The fine does not relate to the hacking of celebrity Twitter accounts which happened in the summer.
Twitter later revealed that had happened as a result of spearphishing and human error.