The Dublin Circuit Court (DCC) on Monday confirmed the Irish Data Protection Commission (DPC) decision to fine Twitter €450,000 for its delay in reporting a data breach.
The fine, imposed in 2020, was implemented when Twitter failed to report a General Data Protection Regulation (GDPR) data breach in enough time. The breach related to Android users who had changed their settings to make tweets private and could have had their data exposed due to a bug.
It was found that the delay in reporting this breach infringed Article 33 (1)(5) of the GDPR. Article 33(1) requires the “controller” to report any personal data breaches within 72 hours of becoming aware of the breach. Article 33(5) further states that the controller must report personal data breaches.
The inquiry, which began in January 2019, found that Twitter failed to notify the breach and adequately document it. The fine imposed by the DPC was to act as a deterrent to further breaches of GDPR.
The DCC confirmed the legitimacy of the fine, in line with section 143 of the Data Protection Act 2018. This case was one of the first media giants to go through the Article 65 dispute resolution process since the introduction of the European Data Protection Board published decision.