Ireland’s privacy watchdog on Tuesday hit Twitter with a fine of 450,000 euros ($547,000) over GDPR violations. The fine is the result of a landmark decision by the regulator to penalize the social platform for violating Europe’s strict data protection law, which is likely the first of several that will target tech giants in the coming months and years.
The fine follows aby Ireland’s Data Protection Commission, which acts as the lead regulator on behalf of the entire EU for tech giants that have their European headquarters in Ireland. In a press release, the DPC described the fine against Twitter as “an effective, proportionate and dissuasive measure.”
Twitter received the penalty because in December 2018 it suffered a breach and didn’t report it quickly enough to the DPC (under the GDPR, companies are required to report any breaches to their lead regulator within a 72-hour statutory notice period). According to Twitter, the delay in informing the DPC was “an unanticipated consequence of staffing” between Christmas Day 2018 and New Year’s Day.
In a statement on Tuesday, Twitter’s Chief Privacy Officer and Global Data Protection Officer Damien Kieran accepted that the company had made an error and said that it had made changes so that all incidents following this have been reported to the DPC in a timely fashion.
“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur,” he said. “We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”
The Twitter case was one of multiple investigations involving Silicon Valley tech giants that the Irish regulator is currently making decisions on. Each case could result in a fine of up to 4% of a company’s global revenue or 20 million euros ($22 million), or even an order that would require the business to temporarily or permanently stop collecting and processing the data of European citizens.
Next up to hear about a fine will likely be WhatsApp, against which the DPC also issued a preliminary decision on back in May.