Twitter Fined €450,000 For Error In User Information Security

Ireland's Data Protection Commission (DPC) on December 15 announced it had fined social network Twitter €450,000 (about $546,000) for an error that caused some of the user's private tweets to be made public.

This is the first sanctions imposed on a US company based on the new European Union (EU) data security law.

The fine is related to a 2019 investigation into a Twitter in-app bug on the Android operating system, leaving several users' personal tweets publicly available.

The Irish DPC accused Twitter of failing to notify the regulator on time and not fully documenting the violation, considering the fine as a "commensurate and warning measure."

In a later statement, Twitter said that the reporting delay was "an unforeseen consequence" of the staffing between Christmas Day 2018 and the New Year Day 2019, and that they took corrective action to ensure timely reporting of future problems.

DPC Ireland, which is opening more than 20 major investigations of US technology companies, has the power to impose fines of up to 4% of a company's global revenue or €20m ($22m), depending on the level penalty.

Twitter is also included in at least two other investigations by the Irish regulator.

The "One Stop Shop" mechanism under the EU's General Data Protection Regulation (GDPR) allows DPC Ireland to be the main regulator of Twitter, Facebook, Apple and Google operations within the bloc. This is because Ireland is where companies choose to be headquartered in the EU.

GDPR has been in effect since 2018, but this Twitter case is the first to use a new dispute resolution system. Accordingly, a major regulatory body will make a decision before consulting other EU regulators.

In its final ruling, DPC Ireland said it originally planned to impose a fine of $150,000-$300,000. But the fines were raised after Austrian, German and Italian regulators successfully argued that they were too low.