Twitter International Company: Insufficient fulfilment of data breach notification obligations

The Irish DPA (DPC) fined Twitter International Company EUR 450,000 for violating Art. 33 (1) GDPR and Art. 33 (5) GDPR for failing to notify the DPA in a timely manner of a data breach and not adequately documenting that breach. The data breach concerned the privacy settings of user posts on the social media platform Twitter. There, users have the option to set the visibility of their posts to private or public. Private posts can only be seen by subscribers of the respective user profile, while public posts are visible to the public. A programming bug in Twitter's Android app resulted in some private posts being visible to the public. The DPA found that Twitter had not properly fulfilled its reporting and documentation obligations. Twitter's legal team became aware of the error on January 2nd, 2019, and it was not until January 8th that the company informed the DPC. Consequently, the company failed to inform the DPC within the 72-hour period required by Art. 33 (1) GDPR. Furthermore, it had failed to adequately document the incident in accordance with Art. 33 (5) GDPR.

GDPR Articles: Art. 33 (1), (5) GDPR
Industry: Media, Telecoms and Broadcasting