London Daily

Focus on the big picture.
Friday, Sep 19, 2025

Twitter fined $550k over a data breach in Ireland’s first major GDPR decision

Twitter fined $550k over a data breach in Ireland’s first major GDPR decision

Ireland's data regulator has fined Twitter 450,000 euros for a bug that made some private Tweets public - in the first sanction against a U.S. firm under a new European Union data privacy system
Ireland’s Data Protection Commission (DPC) has issued Twitter with a fine of €450,000 (~$547k) for failing to promptly declare and properly document a data breach under Europe’s General Data Protection Regulation (GDPR).

The decision is noteworthy as it’s the first such cross-border GDPR decision by the Irish watchdog, which is the lead EU privacy supervisor for a number of tech giants — having a backlog of some 20+ ongoing cases at this point, including active probes of Facebook, WhatsApp, Google, Apple and LinkedIn, to name a few.

“The DPC’s investigation commenced in January, 2019 following receipt of a breach notification from Twitter and the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure,” the regulator writes in a press release.

The GDPR requires most breaches of personal data to be notified to the relevant supervisory authority within 72 hours of the controller becoming aware of the breach.

The regulation also requires they document what data was involved and how they’ve responded to the security incident — in order that the relevant data supervisor can check against compliance.

In this case Twitter was found to have failed on both counts.

We’ve reached out to the social media company for comment, including asking whether it plans to accept the decision and pay up — or if it’s considering its legal options.

Twitter has sent this statement, attributed to Damien Kieran, its chief privacy officer and global data protection officer:

“Twitter worked closely with the Irish Data Protection Commission (IDPC) to support their investigation. We have a shared commitment to online security and privacy, and we respect the IDPC’s decision, which relates to a failure in our incident response process. An unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion.

We take responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our work to quickly and transparently inform the public of issues that occur. We appreciate the clarity this decision brings for companies and consumers around the GDPR’s breach notification requirements. Our approach to these incidents will remain one of transparency and openness.”

The company also told us that since this specific incident, where inadequate staffing over the 2018 holiday period led to a delay in reporting the breach, it has made all relevant incident reports to the DPC within the required 72 hour period.

The DPC’s decision relates to a breach that Twitter publicly disclosed in January 2019 — when it said a bug in its ‘Protect your tweets’ feature could have meant some Android users who’d applied the setting to make their tweets non-public may have had their data exposed to the public Internet since as far back as 2014. (Though GPDR would only apply to data the bug exposed since May 2018.)

Since fessing up to the ‘Protect your tweets’ bug, Twitter has had plenty more egg on its face where security is concerned — including suffering a high profile account hijacking episode earlier this year, after crypto-scam-spreading hackers gained network access credentials using a social engineering technique.

Ireland’s DPC, meanwhile, continues to face criticism for the length of time it’s taking to reach decisions on major cross-border GDPR cases where impacts on individual rights can scale to hundreds of millions of European Internet users.

Last year commissioner Helen Dixon said its first major GDPR decisions would come “early” in 2020.

In the event the first cross-border decision has crossed the line days before the end of the year — underlining the challenges for the bloc in effectively enforcing its digital rulebook against tech giants. (GDPR technically begun being applied in May 2018, although platform giants have faced precious little enforcement to date.)

In this specific case, some half a year extra was added to the decision timeline after a draft outcome Ireland submitted to other EU DPAs for review, back in May, was not accepted by all of them — triggering a majority vote mechanism in the GDPR for settling disagreement between the bloc’s data supervisors.

The European Data Protection Board (EDPB) has published this Article 65 decision and the full final decision on its website here.

The (now) final outcome on the Twitter case comes at a key time — with EU lawmakers due to set out their next major pieces of digital policy later today, as part of an ambitious push to accelerate regional digitization by rolling out a reassuring promise of European guardrails wrapping around all this tech.

Yet with GDPR enforcement proving such a tedious, friction-filled process that threatens to take the shine off the nascent Digital Services Act and Digital Markets Act many months (or even years) before they can become EU law — raising questions about how the whole strategy can be expected to function in the absence of effective (i.e. fair but fast) enforcement.

The wider risk here is European citizens losing faith in the rights-based framework they’re told they enjoy, under EU law and the bloc’s patchwork of regulatory frameworks, if the animal turns out to be such a plodding house-cat when people do try to obtain relief.

So the Commission’s strategy of claiming expanded digital rules will act as a public trust booster risks falling into a trough of disillusionment at the legislative proposal stage.

Simple put: You can’t allow your regulators to move so slowly and expect your rulebook to touch tech giants whose playbook is to move fast in order to disrupt the rule of law in their own business’ interests.

The DPC’s decision in the Twitter case is thus a measure of how sizeable a gap sits between the rhetoric EU policymakers ply around the bloc’s ‘powerful’ digital rules — and the messier and more faltering reality: Nearly two years since Twitter disclosed the breach and waiting for a hammer to drop in what should be a relatively straightforward case.

A data breach is not an investigation into the lawfulness of Facebook’s business model vs GDPR, after all, nor does it delve into the intricacies of Google’s adtech — both of which are still open case files on the DPC’s desk.

The penalty itself is also a fraction (a little over 0.1%) of Twitter’s full-year 2019 revenue; a far cry from the up to 4% of global annual turnover maximum allowed for under the GDPR (or the up to 2% max for the specific infringements involved in the breach case).

The size of the fine calculated by Ireland was one of the objections raised by other EU DPAs during the dispute of the draft decision — the DPC initially proposed an even smaller fine (in the range of 0.005% and 0.01% of Twitter’s annual turnover; or between €135k and €275k).

The Article 65 intervention forced Ireland to increase the size of the penalty (though not by much), with the EDPB issuing a binding requirement that Ireland reassess the calculation “so as to ensure it is appropriate to the facts of the case”. (It did not specify how large an increase would be required.)

EU DPAs also disagreed on the controller/processor status of Twitter’s Irish business vs its US entity — with Ireland accepting Twitter Ireland as the data controller and Twitter Inc as the processor, a designation that seems intended to reduce its liability.

So this first cross-border GDPR decision looks more millstone than milestone for the Commission, at the fag end of 2020.

There’s not a lot for commissioners to celebrate here, even though they suggested in the summer that the best answer to GDPR enforcement concerns would be for Ireland to get a decision out. The problem now is the black marks against the bloc’s record on digital enforcement look stubbornly set in — just as the Commission is laying out a plan to go all in on platform regulation.

The questions over enforcement are going to keep coming.
Newsletter

Related Articles

0:00
0:00
Close
Massive Strikes in France Pressure Macron and New PM on Austerity Proposals
Trump Seeks Supreme Court Permission to Remove Fed Governor Lisa Cook
Hillary Clinton’s Reckless Rhetoric Fuels Division After Charlie Kirk’s Assassination
NASDAQ Rises to Record as Intel Soars More Than 20%, Nvidia Gains 3%
Nvidia’s $5 Billion Bet on Intel Reshapes AI Hardware Landscape
Trump and Starmer Clash Over UK Recognition of Palestinian State Amid State Visit
Trump’s Quip on Biden and Google Lawsuit Revives Debate Over Antitrust Legacy
Macron and his wife to provide 'scientific photographic evidence' that she is a real woman
US Tech Giants Pledge Billions to UK AI Infrastructure Following Starmer's Call
Saudi Arabia cracks down on music ‘lounges’ after conservative backlash
DeepMind and OpenAI Achieve Gold at ‘Coding Olympics’ in AI Milestone
SEC Allows Public Companies to Block Investors from Class-Action Lawsuits
Saudi Arabia Signs ‘Strategic Mutual Defence’ Pact with Pakistan, Marking First Arab State to Gain Indirect Access to Nuclear Strike Capabilities in the Region
Federal Reserve Cuts Rates by Quarter Point and Signals More to Come
Effective and Impressive Generation Z Protest: Images from the Riots in Nepal
European manufacturers against ban on polluting cars: "The industry may collapse"
Sam Altman sells the 'Wedding Estate' in Hawaii for 49 million dollars
Trump: Cancel quarterly company reports and settle for reporting once every six months
Turkish car manufacturer Togg Enters German Market with 5-Star Electric Sedan and SUV to Challenge European EV Brands
US Launches New Pilot Program to Accelerate eVTOL Air Taxi Deployment
Christian Brueckner Released from German Prison after Serving Unrelated Sentence
World’s Longest Direct Flight China Eastern to Launch 29-Hour Shanghai–Buenos Aires Direct Flight via Auckland in December
New OpenAI Study Finds Majority of ChatGPT Use Is Personal, Not Professional
Hong Kong Industry Group Calls for HK$20 Billion Support Fund to Ease Property Market Stress
Joe Biden’s Post-Presidency Speaking Fees Face Weak Demand amid Corporate Reluctance
Charlie Kirk's murder will break the left's hateful cancel tactics
Kash Patel erupts at ‘buffoon’ Sen. Adam Schiff over Russiagate: ‘You are the biggest fraud’
Homeland Security says Emmy speech ‘fanning the flames of hatred’ after Einbinder’s ‘F— ICE’ remark
Charlie Kirk’s Alleged Assassin Tyler Robinson Faces Death Penalty as Charges Formally Announced
Actor, director, environmentalist Robert Redford dies at 89
The conservative right spreads westward: a huge achievement for 'Alternative for Germany' in local elections
JD Vance Says There Is “No Unity” with Those Who Celebrate Charlie Kirk’s Killing, and he is right!
Trump sues the 'New York Times' for an astronomical sum of 15 billion dollars
Florida Hospital Welcomes Its Largest-Ever Baby: Annan, Nearly Fourteen Pounds at Birth
U.S. and Britain Poised to Finalize Over $10 Billion in High-Tech, Nuclear and Defense Deals During Trump State Visit
China Finds Nvidia Violated Antitrust Laws in Mellanox Deal, Deepens Trade Tensions with US
US Air Force Begins Modifications on Qatar-Donated Jet Amid Plans to Use It as Air Force One
Pope Leo Warns of Societal Crisis Over Mega-CEO Pay, Citing Tesla’s Proposed Trillion-Dollar Package
Poland Green-Lights NATO Deployment in Response to Major Russian Drone Incursion
Elon Musk Retakes Lead as World’s Richest After Brief Ellison Surge
U.S. and China Agree on Framework to Shift TikTok to American Ownership
London Daily Podcast: London Massive Pro Democracy Rally, Musk Support, UK Economic Data and Premier League Results Mark Eventful Weekend
This Week in AI: Meta’s Superintelligence Push, xAI’s Ten Billion-Dollar Raise, Genesis AI’s Robotics Ambitions, Microsoft Restructuring, Amazon’s Million-Robot Milestone, and Google’s AlphaGenome Update
Le Pen Tightens the Pressure on Macron as France Edges Toward Political Breakdown
Musk calls for new UK government at huge pro-democracy rally in London, but Britons have been brainwashed to obey instead of fighting for their human rights
Elon Musk responds to post calling for the murder of Erika Kirk, widow of Charlie Kirk: 'Either we fight back or they will kill us'
Czech Republic signs €1.34 billion contract for Leopard 2A8 main battle tanks with delivery from 2028
USA: Office Depot Employees Refused to Print Poster in Memory of Charlie Kirk – and Were Fired
Proposed U.S. Bill Would Allow Civil Suits Against Judges Who Release Repeat Violent Offenders
Penske Media Sues Google Over “AI Overviews,” Claiming It Uses Journalism Without Consent and Destroys Traffic
×