15th December 2020
The Data Protection Commission (DPC) has today announced a conclusion to a GDPR investigation it conducted into Twitter International Company. The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure.
The draft decision in this inquiry, having been submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR in May of this year, was the first one to go through the Article 65 (“dispute resolution”) process since the introduction of the GDPR and was the first Draft Decision in a “big tech” case on which all EU supervisory authorities were consulted as Concerned Supervisory Authorities.
The European Data Protection Board has published the Article 65 decision and the final decision on its website here.
Source: Data Protection Commission
Comment: €450,000 is slightly under $550,000.00 USD. If you don’t remember the incident that led to the inquiry, the DPC’s decision summarizes the issue here:
The personal data breach that is the subject of this Decision (‘the Breach’) relates to a “bug” in Twitter’s design. A user of Twitter can decide if their tweets will be “protected” or “unprotected”. In the former case, only a specific set of persons (followers) can read the user’s protected tweets. The bug that resulted in this data breach meant that, if a user operating an Android device changed the email address associated with that Twitter account, their tweets became unprotected and consequently were accessible to the wider public without the user’s knowledge.
Somewhat ironically, this blogger had noticed the bug’s results and had tried to alert Twitter to it, but found that Twitter had no way to report an issue to them if you weren’t willing to go through HackerOne. I did not want to become a bounty hunter or register on HackerOne. I simply wanted to alert Twitter to what I noticed as a serious problem with supposedly protected tweets being exposed and indexed by Google. Would being able to notify them have changed anything? Not as far as this decision goes, because this decision was based, in part, on Twitter’s failure to notify within 72 hours and not on failure to detect. But it’s still something that might occur again unless Twitter has now figured out to allow people to report concerns without registering for HackerOne or some bounty program.
With respect to the delay in notification that led to the monetary penalty, Twitter issued a statement, cited by TechCrunch, that says in part:
An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.