The Irish Data Protection Commission has issued “an effective, proportionate and dissuasive” fine of €450,000 under GDPR to Twitter after finding the company guilty for not reporting a data breach in time and for not documenting the breach adequately.
In December 2018, when testing the Twitter platform as part of the company’s bug bounty programme, an external contractor discovered a major security issue that arose as a result of a code change that was implemented in November 2014.
The security issue ensured that whenever an Android device user changed the email address associated with their Twitter account, the protected tweets became public without the user’s knowledge. This issue played havoc with the privacy of 88,726 EU and EEA users between 5 September 2017 and 11 January 2019 and possibly affected hundreds of thousands of users worldwide since the code change took place.
The bug was discovered on 26th December 2018 and Twitter, after making an assessment that the discovery amounted to a major security incident, informed the Irish Data Protection Commission about the breach on 8th January 2019, a day after it officially informed the Global DPO about the same.
Noting that by informing it about the security breach on the 8th of January after learning about it on the 3rd, the Irish Data Protection Commission said in its preliminary draft decision that Twitter violated Article 33(1) of GDPR that requires organisations to report data breach incidents to authorities within 72 hours of knowledge about such incidents.
The Irish Data Protection Commission also noted that Twitter violated Article 33(5) of GDPR by failing to add sufficient information about the incident in the documentation provided to the authority. The documentation was not considered to contain a record or document of, specifically, a “personal data breach”, as they amounted to “documentation of a more generalised nature”.
“The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure,” it said.
Commenting on the fine issued to Twitter, Darren Wray, CTO at data privacy experts Guardum, said this case should send a message to large tech firms that they need to take their Data Privacy responsibilities very seriously and allowing access to information without the data subject’s consent or worse still against their expressed consent is something that just can’t be allowed to happen and if it does the GDPR and other data privacy regulation is going to be there to add incentives to ensure that it doesn’t happen again.
“The GDPR has been in place for over 2 years now and it seems that its teeth are getting sharper. All companies need to ensure that they are maintaining their compliance in the most efficient and effective ways. GDPR is no longer the new kid on the block and there are many other countries and indeed US states who are following the EU’s lead in implementing and updating their data privacy regulations.”
The Irish DPC’s decision to fine Twitter comes on the heels of French data protection regulator CNIL fining Google and its subsidiary Google Ireland Ltd a total of €100 million for automatically placing advertising cookies on users’ devices without obtaining prior consent, thereby amassing huge advertising income at the expense of users’ privacy.
The fine was imposed following an investigation into Google’s adherence to the General Data Protection Regulation (GDPR) and the French Data Protection Act that began in March this year. CNIL found that not only did Google automatically placed cookies on users’ devices, but it also failed to inform users about the placement of cookies, and failed to withdraw advertising cookies from users’ devices even when users did not wish to keep cookies in their devices.
In January last year, CNIL also issued a fine of 50 million euros (£44 million) to Google for failing to adhere to GDPR requirements while obtaining consent from users to process their personal data for delivering personalised advertisements.
CNIL said that Google was guilty of violating GDPR as far as obtaining user consent for the collection of personal data was concerned as the company did not take specific or unambiguous consent for processing personal data for different websites or applications, nor were users sufficiently informed about how or for what purposes their personal data will be processed.