The Irish Data Protection Commission decided to increase the fine it initially intended to impose on Twitter for GDPR violations from €300,000 to €450,000.
Twitter was found to have violated the GDPR by not timely reporting and properly documenting a data breach it discovered on its popular platform. The breach involved a bug on Twitter’s platform which caused users’ private tweets to become public if they updated their email address in some cases.
Twitter was found to have violated the GDPR by not having proper internal documentation of the breach as required by the GDPR, and by having notified the Irish Data Protection Commission 5 days after becoming aware of the breach, rather than within 3 days as prescribed by the GDPR. The Irish regulator originally intended to impose a fine in the range of €150,000 to €300,000 but was compelled to increase the fine on the instruction of the European Data Protection Board (EDPB). Following objections to the Irish regulator’s draft decision from data protection authorities in Italy, Germany, Austria, and Hungary, the EDPB determined that the Irish regulator should increase the fine to better reflect the GDPR principles of effective, dissuasive, and proportional fines.
CLICK HERE to read the EDPB’s press release.