X (Twitter) — Enforcement
Executive Summary
The Irish DPC fined Twitter €450,000 for failing to notify the regulator of a data breach within the 72-hour window required by GDPR and failing to adequately document the breach. A bug in Twitter's Android app had caused protected tweets from private accounts to become publicly visible. This was the first major GDPR enforcement decision against a big tech company to go through the EU's Article 65 dispute resolution process.
What Happened
On December 15, 2020, Ireland's Data Protection Commission fined Twitter €450,000 for violating GDPR Articles 33(1) and 33(5). The investigation began in January 2019 after Twitter reported a data breach outside the required 72-hour notification window and failed to adequately document the breach. This was the first GDPR enforcement decision against a multinational tech company to go through the EU's Article 65 dispute resolution process, where other EU data protection authorities raised objections to the draft decision.
Who Is Affected
The breach involved Twitter users who had protected tweets from private accounts that became publicly visible due to a bug in Twitter's Android app. The enforcement action primarily affects Twitter International Company, which is subject to Irish DPC oversight for its European operations.
Why It Matters
This was the first major GDPR enforcement action by the Irish DPC against a multinational tech company and the first to use the Article 65 dispute resolution mechanism. The relatively small fine of €450,000 set a precedent that was viewed as an early win for Big Tech companies, and raised questions about how EU data protection authorities would resolve disagreements in future cases. The European Data Protection Board noted friction in the process and implied the Irish DPC could have done more to address objections from other supervisory authorities.
AI-Assisted
Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.
Sources