The fine was for a breach of the EU’s sweeping data protection and privacy regulations
Twitter was fined €450,000 ($548,000) by an Irish regulator on Tuesday, after a bug in its Android app caused some users’ protected tweets to be made public.
The fine represents the first cross-border decision handed down by Ireland’s Data Protection Commission, or DPC, for a breach of the European Union’s sweeping data protection and privacy laws—called GDPR—implemented in 2018. A number of European regulators objected to the size of the penalty and advocated for a more severe punishment.
A bug, traced back to a change in the app’s code from 2014, led to nearly 89,000 European Twitter
users’ protected tweets being made public between 2017 and 2019, according to Twitter’s own investigation.
It was discovered in late December 2018 by an external contractor managing the social media network’s bug-reporting program. Twitter reported the bug to the Irish data regulator in early January 2019, which kick-started an inquiry.
“We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur,” Twitter said in a statement posted on Twitter. “We’re sorry it happened.”
Get Breaking Stock Alerts
In investigating the incident, the DPC found that Twitter had broken GDPR rules over how quickly data breaches must be reported once discovered—within 72 hours. The social media company said its delay was the result of “an unanticipated consequence of staffing between Christmas Day 2018 and New Year’s Day.”
The DPC said the fine was “an effective, proportionate and dissuasive measure,” though other data regulators in the EU had advocated for a far higher penalty.
Twitter could have been fined as much as $60 million by the DPC, which amounts to 2% of the company’s 2018 annual revenue.
Regulators in Austria advocated for a fine of at least $30 million, while German regulators said the fine should have been in the range of €7.3 million to €22 million.
Ireland had the unilateral jurisdiction over the fine under the “one-stop-shop” GDPR regime, in which one national regulator takes the lead on behalf of the entire bloc.
Twitter fell under the boundaries of Irish regulation because, like other technology giants Apple
and Google, owned by Alphabet
its European headquarters are located in Ireland.
The DPC initially wanted to fine Twitter between $150,000 and $300,000 for the breach of GDPR rules. Other national regulators objected to the amount of the fine, triggering the landmark use of a new dispute mechanism overseen by the European Data Protection Board.