Twitter Slapped With Fine for Breaking EU’s Data Privacy Law

Twitter Inc. was fined 450,000 euros ($547,000) by its chief European Union data protection watchdog for failing to give a timely warning about a breach that threatened the privacy of Android phone users across the bloc.

Twitter violated EU data protection rules by failing to report a breach within the required 72 hours, Ireland’s Data Protection Commission said Tuesday in a statement.

The penalty was levied as “an effective, proportionate and dissuasive measure,” the Irish watchdog said.

The U.S. social-media giant last year warned the Irish authority of a potentially disabled privacy setting that put some devices running on Google’s Android mobile operating system at risk. The Irish authority’s investigation started in January 2019. Because it potentially affected users throughout the EU, the regulator had to send the draft findings of its probe to other authorities, dragging out a process that critics complained took far too long.

“We’re sorry it happened,” Damien Kieran, Twitter’s chief privacy officer and global data protection officer, said in a statement.

The company said its failure to notify the breach in time was due to an “unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day” and that its has since made changes “so that all incidents following this have been reported” in a “timely fashion.”

Cases at the Irish data-protection regulator have been piling up since the bloc’s tough General Data Protection Regulation took effect in May 2018. The slow pace has attracted criticism from privacy advocates and other EU regulators, which have no power to decide on cases concerning wider European violations by companies with an Irish EU base.

GDPR allows regulators to levy penalties of as much as 4% of a company’s annual revenue for the most serious violations. The biggest fine to date under the EU’s data protection rules was a 50 million-euro penalty for Google issued by France’s watchdog CNIL.

The French authority last week slapped Google with a 100 million-euro penalty over the way it manages cookies on its search engine, but the decision was taken based on separate rules regulating firms’ use of cookies and other tracking devices.

Helen Dixon, Ireland’s privacy commissioner, has opened at least 20 probes into big tech firms since the EU’s new privacy rules took effect, including cases involving Apple Inc., Facebook Inc. and Microsoft Corp.’s LinkedIn.

©2020 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.