Ireland’s Data Protection Commission (DPC) concluded its investigation into Twitter and determined that the U.S. social media giant violated the European Union’s General Data Protection Regulation (GDPR) rules.
The DPC’s probe was initially launched in January, 2019 when the agency was first notified of a possible violation linked to Twitter, according to a DPC statement on Tuesday (Dec. 15). The investigation concluded that Twitter didn’t document the breach nor notify officials in a timely manner, both required under GDPR mandates.
The GDPR mandates that most personal data breaches issue a notification within 72 hours of becoming aware of the issue.
The draft decision in May was submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR. It was the first issue processed through Article 65 (“dispute resolution”) since the GDPR was launched. It also was the first draft decision regarding a Big Tech case that called on EU supervisory authorities to be consulted as Concerned Supervisory Authorities.
Damien Kieran, chief privacy officer and global data protection officer at Twitter, told TechCrunch that the company supported Ireland’s DPC’s investigation.
“An unanticipated consequence of staffing between Christmas Day 2018 and New Years Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion,” a spokesperson told TechCrunch.
“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness,” the spokesperson said.
EU privacy watchdogs were at odds in August about how much to fine Twitter for the data breach.
Twitter joined Mozilla, Automatic and Vimeo in asking EU regulators to defend the internet and expressed concern about the future handling of content deemed harmful and illegal.
The U.S. Federal Trade Commission (FTC) voted 4-1 that social media and tech companies have to provide data relating to advertising and user engagement. Companies affected include Amazon, TikTok’s ByteDance, Discord, Facebook, Reddit, Snap, Twitter, WhatsApp and YouTube.