Twitter Violating GDPR Data Breach Provisions: The Full Story You Need to Know

  In May 2018, the General Data Protection Regulation (GDPR) of the European Union was enacted. The GDPR stipulates a standard for how businesses and websites share, access, use, and protect internet users' data. Although European Union legislation, it has far-reaching consequences. Why? Because websites worldwide must observe its guidelines if they want EU citizens to visit their websites. No wonder 27 percent of companies have spent half a million dollars to become compliant with this legislation. What's more, nearly eight in ten American companies have taken steps to comply with the GDPR. So, it shocked many to learn recently of Twitter violating GDPR data breach provisions. Here's what you need to know about this GDPR data breach and what it has cost Twitter.

Twitter Violating GDPR Data Breach Provisions

Two years after first disclosing a violation of the GDPR, Twitter has been hit with a $546,000 (€450,000) fine by Ireland's Data Protection Commission (DPC). The breach was first disclosed in January 2019 by the big-name social media brand. What did this breach entail? It involved a security flaw, which exposed some private tweets of the service's Android users to the public over the past four years. How did this violate the EU's GDPR? By failing to notify the regulator within 72 hours of discovering the GDPR violation by Twitter. This action represents the first time a tech giant in the US has received a GDPR fine in a cross-border case. The Irish regulator consulted with its European Union peers during the GDPR penalty decision-making process. Who headed up the investigation? The Irish Data Protection Commission (IDPC). This Irish supervisory authority oversees the GDPR and other regulatory frameworks. These include the Irish ePrivacy Regulations (2011) and the European Union's Directive (a.k.a. the Law Enforcement Directive). Why was Ireland chosen for the investigation? Because Twitter is headquartered internationally in Ireland.

Twitter Violating GDPR and the Consequences

At this point, you may be wondering what the GDPR is and why it took the EU so long to place a fine on Twitter. The GDPR represents the strictest security and privacy law currently in place to protect internet user data for those living in the EU. It functions like other privacy regulations (think HIPAA for Business Associates and HIPAA for HCIRs) and comes with hefty consequences for violations - refer What is HIPAA Certification?. What about the extended timeline for prosecuting Twitter's violation? It's the result of the cross-border process. The DPC originally posted its decision back in May to adhere to the GDPR's  comments process. At that time, several other regulators objected to points within their conclusion. So, the decision had to go through a dispute-resolution process. What were the key objectives of these regulators? Some noted that the penalty amount of $546,000 fell well below the GDPR's specified range for fines.

Objections to the Irish DPC's Fine

The GDPR may leverage up to two percent of a company's global annual revenue. This action is triggered by failure to protect Twitter users' privacy. Surprisingly, the Irish DPC initially proposed an even smaller amount. How small? They asked for a fine in the range of 0.005 and 0.01 percent of Twitter's annual turnover. This amount would have calculated out to between ‚¬135,000 and ‚¬275,000. Why did the DPC ask for so much less? They argued that Twitter's violation stemmed from negligence rather than systematic or intentional intent. Despite this claim, the case went through a dispute-resolution process. Article 65 intervention compelled Ireland to increase the size of the penalty. To do this, the European Data Protection Board (EDPB) issued binding requirements, forcing Ireland to recalculate the penalty. But the EDPB's objections didn't stop there. They also disagreed with the controller and processor status of Twitter's Irish versus American headquarters. Ireland accepted the brand's declaration that Twitter Ireland was the data controller and Twitter Inc the processor. The EDPB alleged that these erroneous designations on the part of Twitter represented an attempt to reduce its liability.

GDPR Millstone or Milestone?

The length of time it took for the GDPR's dispute-resolution process has raised some individuals' ire. They charge that the GDPR lacks significant legislative teeth citing the meager final fine that the IDPC decided to impose. The leadership of the DPC has subsequently supported this stance. Head of the Irish DPC, Helen Dixon, has admitted that the process proved inefficient. But she noted that it was also the first time this legislation applied internationally. Dixon remains optimistic about future uses of these regulations. That said, many EU regulators agree there's little to celebrate with the Twitter decision. Instead of the IDPC's final resolution representing a milestone for the GDPR, it feels more like a millstone to many.

The Response to the Twitter Data Breach

In a statement to TechCrunch, Twitter has stated that they respect the Irish DPC's decision. The tech giant also notes that the data breach resulted from staffing issues between Christmas and New Years' Day 2018. How did Twitter first become aware of the data breach? The company received a notification from a researcher on December 26. The researcher advised the brand that the flaw was ongoing and violated some users' privacy.

What Caused the Data Breach

How did the flaw violate user rights? Twitter permits users to designate protected and unprotected tweets. When users opt to have protected tweets, only a user's followers may view their messages. As for unprotected tweets? These exist in the public domain and may be seen by anyone. But the bug discovered by the researcher ultimately converted protected tweets into unprotected ones. This change occurred without users' knowledge and was triggered when account holders with Androids updated their email addresses. The change from protected to unprotected tweets happened without any notifications to users. After doing further research, Twitter confirmed that the breach occurred on November 4, 2014. Yet, the company remained unable to determine who was affected by the issue before September 5, 2017. Between September 5, 2017, and January 11, 2019, Twitter's breach also impacted users from the European Union and the European Economic Area (EEA).

More About the Twitter Data Breach

To better understand what this violation means, let's take a closer look at the portion of the GDPR to which it relates. Article 33(1) forces companies to notify the appropriate Data Protection Authority within 72 hours of the data breach's discovery. It's this provision of the GDPR that the IDPC found Twitter guilty of breaching. The GDPR requires companies facing a data breach to detail the data involved and the company's measures to secure this information. The company must also contact the data protection controller to assess compliance. Twitter failed to notify the data protection controller in a timely fashion (72 hours after discovery). The company also failed to properly document the incident and its long-term repercussions for users. For this reason, the IDPC found the company guilty, stating that the penalty must be proportionate, dissuasive, and effective. Throughout the investigation, Twitter cooperated with the IDPC to gain more insights into the incident and to move forward with an appropriate response. If the IDPC had followed the stipulations of the GDPR to the letter of the law, Twitter could have faced a maximum financial penalty of $168 million (€138 million). In other words, they would have faced a fine of approximately 0.1 percent of their global annual turnover for 2019.

The Response to the Twitter Data Breach

To avoid similar errors down the road, Twitter has enacted new protocols to ensure future breaches get reported in a timely fashion. Twitter has also taken full responsibility for this mistake. And they remain dedicated to protecting the data and privacy of users. Media sources such as the Wall Street Journal report that Twitter's breach represents the first in a list of more than 20 ongoing cases of GDPR violations. Which other companies face GDPR data breach cases? They include WhatsApp, Google, Facebook, LinkedIn, and Apple, to name a few. It will be fascinating to watch how prosecutions unfold in 2021 and beyond.

The Takeaway from Twitter's GDPR Data Breach

What's the takeaway when it comes to Twitter violating GDPR data breach provisions? Ireland's Data Protection Commission represents the first EU nation to investigate and rule on an international GDPR violation. That said, some feel the IDPC dropped the ball with regards to the monetary penalty imposed upon Twitter. And with good reason. The final price tag fell well below what the IDPC could charge, which caused friction within the EDPB. Despite the mild repercussions Twitter has faced, this case still sends a message to other brands that the European Union will prosecute GDPR offenses.

GDPR Compliance Matters More Than Ever

As future cases move forward with companies like Facebook, LinkedIn, and Apple, it will be interesting to see what future applications of the GDPR will look like. GDPR compliance has never proven more critical, and you should turn to a trusted source for compliance training to educate your employees. Browse our most popular courses now.

For 2021 Guidelines for Healthcare Workers, please click here. For 2021 Guidelines for Business Associates, please click here.