Confirmation of Fine – Twitter International Company

18th October 2021

The Irish Data Protection Commission (DPC) today had the decision to impose an administrative fine on Twitter International Company confirmed in the Dublin Circuit Court. The application to confirm the decision to impose an administrative fine of €450,000 was made pursuant to Section 143 of the Data Protection Act 2018.

The Inquiry was commenced in January, 2019 following receipt of a breach notification from Twitter. The Breach, which occurred at TIC’s processor, Twitter Inc., related to a bug whereby if a Twitter user with a protected account, using Twitter for Android, changed their email address, their account would become unprotected. The purpose of the Inquiry was to examine certain issues surrounding TIC’s notification of the Breach, as distinct from examining the substantive issues relating to the Breach itself. Twitter notified the DPC of the personal data breach on 8 January 2019 and the decision found that ought to have been aware of the Breach at the latest by 3 January 2019.

Decision

  • The decision found that Twitter infringed Articles 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.

Corrective Powers

  • The decision imposed an administrative fine on Twitter in the amount of €450,000 in respect of the infringements.