Twitter issued $547,000 GDPR fine by Irish regulator in landmark decision

In its response to the fine, Twitter accepts responsibility for a failure in its reporting mechanism.

Katie Collins Senior European Correspondent

Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.

See full bio

Katie Collins

Dec. 15, 2020 4:05 a.m. PT

2 min read

gettyimages-1193277136 — Twitter's fine is likely the first of several that will be issued to tech giants.
Agron Beqiri/NurPhoto via Getty Images

Ireland's privacy watchdog on Tuesday hit Twitter with a fine of 450,000 euros ($547,000) over GDPR violations. The fine is the result of a landmark decision by the regulator to penalize the social platform for violating Europe's strict data protection law, which is likely the first of several that will target tech giants in the coming months and years.

The fine follows a preliminary decision issued in May by Ireland's Data Protection Commission, which acts as the lead regulator on behalf of the entire EU for tech giants that have their European headquarters in Ireland. In a press release, the DPC described the fine against Twitter as "an effective, proportionate and dissuasive measure."

Twitter received the penalty because in December 2018 it suffered a breach and didn't report it quickly enough to the DPC (under the GDPR , companies are required to report any breaches to their lead regulator within a 72-hour statutory notice period). According to Twitter, the delay in informing the DPC was "an unanticipated consequence of staffing" between Christmas Day 2018 and New Year's Day.

Protect Your Privacy

In a statement on Tuesday, Twitter's Chief Privacy Officer and Global Data Protection Officer Damien Kieran accepted that the company had made an error and said that it had made changes so that all incidents following this have been reported to the DPC in a timely fashion.

"We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur," he said. "We appreciate the clarity this decision brings for companies and consumers around the GDPR's breach notification requirements. Our approach to these incidents will remain one of transparency and openness."

The Twitter case was one of multiple investigations involving Silicon Valley tech giants that the Irish regulator is currently making decisions on. Each case could result in a fine of up to 4% of a company's global revenue or 20 million euros ($22 million), or even an order that would require the business to temporarily or permanently stop collecting and processing the data of European citizens.

Next up to hear about a fine will likely be WhatsApp, against which the DPC also issued a preliminary decision on back in May.