On December 15, the Irish Data Protection Agency imposed a fine of 450,000 euros onTwitter Europe (located in Ireland), the result of not communicating a personal data security breach to the Irish DPA in time and for not having properly documented it .
This breach affected thousands of people in the different European countries, and as a consequence the DPA had to coordinate and cooperate with the interested control authorities of these affected countries.
This led to the use for the first time of the conflict resolution process through the European Data Protection Committee, which would act as an arbitrator between the Main Control Authority and the rest of the authorities.
The cause of this sanction goes back three years, precisely on December 29, 2018, when a third party noticed the existence of an error in the code of the Twitter system and that it especially affected Android users.
This error assumed that if the Android user changed the email linked in his Twitter account, the protected tweets, that is, those tweets that supposedly only the user's followers have access, would become accessible to everyone.
On January 3, 2019, Twitter USA decided that this error should be treated as a security breach, something that was not notified to Twitter Europe until after four days and later to theIrish DPA.
According to the communication that Twitter Europe sent to the Irish DPA, between September 5, 2017 and January 11, 2019, more than 88,000 people were affected by thiserror.
According to the DPA, Twitter EU should have been aware of the security breach on January3, 2019, the date on which Twitter USA internally classified as a security breach. This lack of communication caused Twitter EU to notify the incident outside the established limit, which is the first 72 hours, as established in article 33.1 of the GDPR.
Ultimately, the Irish DPA concluded that Twitter EU violated Article 33.5 of the GDPR by not properly documenting the security breach and providing this information to the Irish DPA during its investigation.
For all this, Twitter EU has ended up receiving its first fine for violation of the General DataProtection Regulation.