European Union (EU) privacy watchdogs are at odds over whether to fine Twitter Inc. for its handling of a data breach last year and how much should be assessed.
The Wall Street Journal reported that the disagreement was disclosed by Ireland’s Data Protection Commission, one of the EU’s privacy regulators.
At issue is a security flaw that Twitter claimed to have corrected in 2019. Due to the flaw, the private tweets of some users were exposed over a period of more than four years, the WSJ reported.
The 28-nation bloc’s General Data Protection Regulation (GDPR) allows regulators to fine companies up to 2 percent of annual revenues for failure to notify the agency of a data breach within 72 hours. For Twitter, the fine could total as much as $69 million, the newspaper reported.
Nearly two dozen other GDPR investigations are underway into Facebook, Google and other U.S. tech companies.
Twitter didn’t immediately respond to a request for comment.
The Irish regulator did not say which entities objected to its proposed decision, or on what grounds. But questions raised about the fine could potentially eliminate the penalty or change the dollar amount.
Graham Doyle, GDPR’s deputy commissioner, told the WSJ that the commission is consulting with other regulators to resolve their differences.
“However, following consultation, a number of objections were maintained, and the DPC has now referred the matter to the European Data Protection Board,” which is the body representing all EU privacy regulators, Doyle told the newspaper.
In January, CNBC reported that the GDPR had assessed 114 million euros ($126 million) in fines since the measure was adopted. More than 160,000 data breach notifications across Europe were reported, according to research from DLA Piper.
“It’s not a huge surprise that we’re seeing a slow start to fines, but there’s more to come,” Ross McKean, a partner at DLA Piper, told the network.
Last year, France’s National Commission on Informatics and Liberty slapped Google with a 50-million-euro ($57 million) fine for alleged infringements of GDPR, the largest so far.
Earlier this month, a 17-year-old Florida teenager and two adults pleaded not guilty to Twitter's largest security breach in the social networking site’s 14-year history.
Graham Ivan Clark, who until last year was a student at Tampa’s Gaither High School, faces charges of gaining access to the Twitter accounts and sending tweets soliciting others to send bitcoin payments. On July 15, hackers seized control of the high-profile accounts of Joe Biden, Kim Kardashian, Bill Gates and dozens of other celebrities.