Twitter becomes first US tech firm fined for EU privacy law violation

Twitter becomes first US tech firm fined for EU privacy law violation
© Getty Images

Twitter on Tuesday became the first U.S. tech firm to be fined for violating a European Union privacy law that went into effect more than two years ago. 

Ireland’s Data Protection Commission said it is fining Twitter 465,000 euros, about $546,000, for not promptly disclosing or documenting a data breach in 2019 within 72 hours, as required by the EU’s General Data Protection Regulation, which went into effect in 2018. 

The failure to notify the regulator of the breach in the required 72-hour window was an operational error, according to Twitter. 


The company’s chief privacy officer, Damien Kieran, said in a statement the delay in the notification was due to an “unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day.”

“We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers,” Kieran added. 

The data breach involved an issue Twitter publicly disclosed in January 2019. The company said an issue with its “Protect your Tweets” function for Android users meant that between 2014 and 2019 some users who applied settings to have private tweets may have had their data exposed to the public. 

The fine issued to Twitter is far short of the full 2 percent of a company’s global annual revenue that the General Data Protection Regulation is allowed to fine. Twitter’s global annual revenue was about $60 million in 2018, according to The Wall Street Journal

Ireland’s Data Protection Commission recommended a fine of only 0.25 percent to 0.5 percent of the maximum because it found Twitter's violation was negligent, not intentional or systematic, the Journal reported. However, the fine was raised after a dispute-resolution process.   

Although it is the first time a U.S. company has been fined for breaking the EU’s privacy law, it is one of many cases in the pipeline. 

The next nearing completion in Ireland, where most of the tech giants are headquartered regionally, involves Facebook-owned WhatsApp, the Journal reported. It is one of 14 cases the data commission has opened into Facebook and its subsidiaries; other cases involve Apple and Google.

Updated at 10:12 a.m.