Twitter Fined €450,000 by the Data Protection Commission for GDPR Violations

Ireland’s Data Protection Commission (the “DPC”) has concluded its investigation into Twitter and has imposed a €450,000 fine as an “effective, proportionate and dissuasive measure” for its violations of the EU General Data Protection Regulation (the “GDPR”).


Twitter discovered a “bug” in its computing language that resulted in certain Twitter users’ private tweets being made public. This personal data breach reportedly affected around 90,000 EU and EEA based users from September 2017 until January 2019. As the bug in the code can be traced back to November 2014, it is possible that it affected a far larger number of users. Twitter notified the DPC of this personal data breach - the impact of which it identified as “significant” - on 8 January 2019, and the DPC commenced its inquiry into the company on 22 January 2019.

GDPR Violations

Before commencing the inquiry into violations of the GDPR, the DPC had to first establish whether it was the competent supervisory authority to inquire into Twitter’s cross-border processing of personal data that resulted in the breach of its users’ data protection rights in the EU. Upon establishing competence, the DPC commenced its investigation of the personal data breach and Twitter’s response on discovering the severity of same.

Helen Dixon, Commissioner for Data Protection and the decision-maker for the DPC, through her decision of 9 December 2020, found Twitter to be in violation of Articles 33(1) and 33(5) of the GDPR. She found that Twitter “ought” to have been aware of the data breach at an earlier point in time and that it “failed to notify the DPC of the personal data breach within the prescribed timeframe”. She also found that Twitter “failed to adequately document the breach” as required by the GDPR, and noted that the extent of deficiencies in its documentation required the DPC to raise multiple queries to gain clarity on the facts surrounding the notification of the personal data breach. The DPC’s decision can be read here.

Lessons from the Consistency Mechanism

The DPC’s final decision follows the European Data Protection Board’s Article 65 (Dispute Resolution) decision adopted on 9 November 2020 (which can be read here).  Although a number of objections were raised by other supervisory authorities, the EDPB only upheld objections in relation to the level of the administrative fine proposed by the DPC.  The majority of the objections were not upheld on the basis that they did not show that the proposed decision posed a risk to the rights and freedoms of data subjects.  However, the decision itself provides valuable insight into the approach to various issues by supervisory authorities.  The commentary in relation to the ‘main establishment’ and ‘lead supervisory’ objections is likely to be of particular interest to multinational organisations who hope to avail of the one-stop-shop supervisory mechanism under the GDPR.

Also contributed by Aishwarya Jha

This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.