Ireland’s Data Protection Commission (DPC) fined Twitter €450,000 for a vulnerability discovered in 2018 that exposed the tweets of users who had strict privacy settings for their profiles. “The DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR [General Data Protection Regulation] in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach,” the agency said in a press release, terming the fine an “effective, proportionate and dissuasive measure.”
This fine was not issued instantly. It led to objections from the Irish DPC’s counterparts in other European countries. As such, a dispute resolution process was triggered under the GDPR, something that DPC said was the first of its kind. The resolution process ended up affirming the Irish DPC’s decision after months of deliberations, concluding with the above fine. Twitter had reported the incident almost two years ago, in January 2019, revealing that the vulnerability had exposed tweets of protected users on the site for years.