The DPC fined Twitter for failing to document or properly notify the regulator within 72 hours of learning of a data breach. It is noted that for the first time such a sanction was imposed against an American company as part of the new data protection system of the European Union GDPR.
In its final ruling, the Irish DPC said it had originally sought to impose a fine of $150,000-$300,000.
Twitter said in a statement the delay in reporting the incident was an “unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day” and that it had made changes so that future incidents would be reported in a timely fashion.
It is noted that GDPR has been in force since 2018, but the Twitter case is the first using a new dispute resolution system under which one lead national regulator makes a decision before consulting with the other EU national regulators.
As we reported earlier, Twitter announced that it will phase out Periscope, the live-streaming video app it bought more than five years ago, by March 2021.