Irish watchdog fines Twitter in landmark for EU data privacy regime

Ireland's data regulator has fined Twitter 450,000 euros ($547,000) for a bug that made some private tweets public, the first sanction against a major U.S. tech firm under a new EU dispute mechanism, but much less than some EU states demanded.

The European Union's General Data Protection Regulation's (GDPR) "One Stop Shop" regime makes Ireland's Data Protection Commission (DPC) lead regulator of Twitter, Facebook, Apple and Google in the bloc, due to the location of their EU headquarters in the country.

GDPR has been in force since 2018, but the Twitter case is the first using a new dispute resolution system under which one lead national regulator makes a decision before consulting with the other EU national regulators. 

The DPC, which has more than 20 major inquiries into U.S technology firms open, can impose fines for violations of up to 4% of a company's global revenue or 20 million euros, whichever is higher.

It had the power to fine Twitter $60 million over a bug in its Android app identified in early 2019, where some users' protected tweets were made public. The penalty was capped at 2% of annual turnover as it was deemed a less severe infringement.

Austria's regulator sought a fine of at least 25 million euros and Germany one in the range of 7.3 to 22 million euros, the European Data Protection Board (EDPB) said, in objections to Ireland's preliminary ruling in May that triggered a referral to the EDPB, the bloc's dispute resolution body.

In its final ruling on Tuesday, the Irish DPC said it had originally sought to impose a fine of $150,000-$300,000.

It said the punishment was a "proportionate and dissuasive measure" over Twitter's failure to both notify the breach on time and adequately document it.

Twitter said in a statement the delay in reporting the incident was an "unanticipated consequence of staffing between Christmas Day 2018 and New Years' Day" and that it had made changes so that future incidents would be reported in a timely fashion. 

"We take full responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers," the statement, posted on Twitter, said. 

Twitter is the subject of at least two other inquiries by the Irish regulator.

"Notwithstanding the inevitable criticism that it is not 'enough', this is still the first shot across the bows in Ireland for one of the big tech players," said Rafi Azim-Khan, Head of Data Privacy at Pillsbury Law. 

(Editing by Kirsten Donovan and Mark Potter)