The microblogging service Twitter must now pay a fine of 450,000 euros. The company had reported a hacker attack too late to the Irish data protection authority.
Hacker attack against Twitter
At the end of 2018, the company Twitter had reported a hacker attack to the data protection authority. However, this notification was made too late by Twitter. A successful hacker attack is a data breach, this must be reported to the competent supervisory authority within 72 hours according to the General Data Protection Regulation. It is not even necessary to make the report in detail, the main thing is that a report is made, and the exact background can be submitted later with a good explanation. Twitter reported too late according to the data protectors. As a reason, the company cited the staff shortage between Christmas 2018 and New Year 2019.
On the late notification, there was already a preliminary decision of the Data Protection Commission in Ireland in May this year. The Data Protection Commission Ireland is the competent authority for Twitter, as the company has its European headquarters in Ireland. According to the authority, the fine of 450,000 euros is “effective, proportionate and dissuasive.” This will prevent future mistakes in reporting and also make other companies aware that the legal requirements must be observed here. The Data Protection Officer and Chief Privacy Officer, Damien Kieran, has also admitted the misconduct of the company in the meantime.
Measures have now been taken by the company to submit the necessary reports to the authorities on time in the future. Privacy Officer Kieran said in a statement, “We accept responsibility for this mistake and remain fully committed to protecting the privacy and data of our customers, including through our efforts to quickly and transparently notify the public of issues as they arise.” “We appreciate the clarity this decision brings to businesses and consumers regarding the GDPR’s data breach notification requirements. Our approach to these incidents will continue to be one of transparency and openness.”
Irish data protection authority continues to investigate
Twitter is not the only company to have come to the attention of the Irish Data Protection Authority in this regard. Facebook subsidiary WhatsApp is also affected by investigations at the moment. So it cannot be ruled out that WhatsApp will also soon have to pay a hefty fine. Especially since the General Data Protection Regulation prefers up to 4 percent of a company’s global turnover or 20 million euros. Apart from that, the data protection authority can also temporarily or permanently ban a company from processing data of European users. So it only remains to be seen which large company will violate or has already violated the GDPR and will have to pay horrendous fines. One thing is clear: at least companies will implement the GDPR as intended.
