Welcome to the Reuters.com BETA. Read our Editor's note on how we're helping professionals make smart decisions.
Skip to main content


Irish watchdog fines Twitter in landmark for EU data privacy regime

3 minute read

The Twitter logo is displayed on a screen on the floor of the New York Stock Exchange (NYSE) in New York City, U.S., September 28, 2016. REUTERS/Brendan McDermid

DUBLIN, Dec 15 (Reuters) - Ireland's data regulator has fined Twitter (TWTR.N) 450,000 euros for a bug that made some private tweets public, the regulator said on Tuesday, in the first sanction against a U.S. firm under a new European Union data privacy system.

The EU's General Data Protection Regulation's (GDPR) "One Stop Shop" regime makes Ireland's Data Protection Commission lead regulator of Twitter, Facebook (FB.O), Apple (AAPL.O) and Google (GOOGL.O) in the bloc, due to the location of their EU headquarters.

GDPR has been in force since 2018, but the Twitter case is the first using a new dispute resolution system under which one lead national regulator makes a decision before consulting with the other EU national regulators.

Some EU regulators objected to Ireland's preliminary Twitter ruling when it was issued in May, triggering a referral to the dispute resolution body, the European Data Protection Board (EDPB).

In its final ruling, the Irish DPC said it had originally sought to impose a fine of $150,000 - $300,000 but increased it after Austrian, German and Italian regulators successfully argued that it was too low.

The fine relates to a 2019 probe into a bug in its Android app, where some users' protected tweets were made public.

In particular it was levied due to Twitter's "failure to notify the breach on time to the DPC and a failure to adequately document the breach," the DPC said in a statement, calling the punishment a "proportionate and dissuasive measure".

Twitter said in a statement that the delay in reporting the incident was an "unanticipated consequence of staffing between Christmas Day 2018 and New Years' Day" and that it had made changes so that future incidents would be reported in a timely fashion.

"We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers," the statement, posted on Twitter, said.

The Irish regulator, which has more than 20 major inquiries into U.S technology firms open, has the power to impose fines for violations of up to 4% of a company's global revenue or 20 million euros ($22 million), whichever is higher.

Twitter is the subject of at least two other inquiries by the Irish regulator.

"Notwithstanding the inevitable criticism that it is not 'enough', this is still the first shot across the bows in Ireland for one of the big tech players," said Rafi Azim-Khan, Head of Data Privacy at Pillsbury Law.

Reporting by Conor Humprhies; Editing by Kirsten Donovan

Our Standards: The Thomson Reuters Trust Principles.

More from Reuters