Ireland’s privacy regulator, the Data Protection Commission, has handed down a fine of €450,000 or about $547,000 to Twitter Inc. after finding that the company had run afoul of the European Union’s General Data Protection Regulation.

The fine, announced today, is notable because it marks the first such GDPR-related penalty issued to a U.S. tech firm.

Implemented in 2018, GDPR mandates that companies request approval from EU-based users to download cookies onto their devices and includes a long list of other privacy requirements as well. The part of the legislation Twitter was found to have violated pertains to how organizations are expected to handle privacy breaches. 

Under GDPR, when a company becomes aware of an incident such as a cyberattack that compromised users’ privacy, it must notify regulators within 72 hours. Moreover, organizations must provide authorities with detailed documentation about what happened. Ireland’s Data Protection Commission found that Twitter failed to meet those criteria following its discovery in early 2019 of a bug that made some Android users’ private tweets accessible from the open web.

“DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach,” the watchdog stated today in the press release announcing the fine.

“Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation,” Damien Kieran, the social network’s chief privacy officer and global data protection office, told TechCrunch in a statement. “An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72-hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.”

The Data Protection Commission’s fine follows a nearly two-year investigation. The probe was carried out by the Irish regulator because Twitter’s European head office is located in Ireland, along with the regional headquarters of many other U.S. tech firms. Several of the biggest names on the list, including Facebook Inc., Google LLC and Apple Inc., are being investigated by the Data Protection Commission over their own potential GDPR violations.

The penalty issued to Twitter is significant not only because it’s the first of its kind but also because it could potentially be followed by other GDPR-related fines against tech giants. Last month, it was reported that the Irish subsidiary of Facebook’s WhatsApp unit had set aside €77.5 million or about $94 million to cover possible fines it may receive from regulators over its privacy practices. 

Photo: Unsplash