Twitter becomes first US tech firm fined for EU privacy law violation

Twitter on Tuesday became the first U.S. tech firm to be fined 465,000 euros by Ireland’s Data Protection Commission for violating a European Union privacy law that went into effect more than two years ago.

Ireland’s Data Protection Commission said it is fining Twitter 465,000 euros, about $546,000, for not promptly disclosing or documenting a data breach in 2019 within 72 hours, as required by the EU’s General Data Protection Regulation, which went into effect in 2018. The failure to notify the regulator of the breach in the required 72-hour window was an operational error, according to Twitter. The General Data Protection Regulation (GDPR) includes a mandate that if companies that handle EU citizens’ data realize there has been a breach, they must inform those affected within 72 hours. The data breach involved an issue Twitter publicly disclosed in January 2019.

The company said an issue with its “Protect your Tweets” function for Android users meant that between 2014 and 2019 some users who applied settings to have private tweets may have had their data exposed to the public. The fine issued to Twitter is far short of the full 2 percent of a company’s global annual revenue that the General Data Protection Regulation is allowed to fine. Twitter’s global annual revenue was about $60 million in 2018, according to The Wall Street Journal. Ireland’s Data Protection Commission recommended a fine of only 0.25 percent to 0.5 percent of the maximum because it found Twitter’s violation was negligent, not intentional or systematic, the Journal reported.