Data Protection & Privacy

Breaking: Irish court confirms €450,000 GDPR fine on Twitter

The Dublin Circuit Court has confirmed the Irish Data Protection Commission’s (DPC) decision to impose a GDPR fine of €450,000 on Twitter for failing to report a data breach in time.

The court has now confirmed the “administrative fine” (GDPR fine) the DPC had imposed on the social media giant through its draft decision in December 2020. Back then, it was the first draft decision in a big tech case.

Details of the incident

Twitter disclosed a data breach in January 2019. A security flaw exposed private tweets from Twitter’s Android users for over four years. When a user with a protected account changed their email address, their account would become unprotected.

As per the General Data Protection Regulation (GDPR) mandate, Twitter notified the DPC. However, the DPC investigated the incident and found that Twitter failed to inform the authority within 72 hours. The company informed the DPC of the personal data breach on 8th January although it ought to have been aware of it at the latest by January 3rd, 2019.

As per Article 33 of the GDPR, any data controller shall notify a personal data breach to the supervisory authority within 72 hours. The supervisory authority is Irish DPC in this case since Twitter’s international headquarters are based in Ireland.

What’s the role of a court though?

The DPC “had the decision confirmed” in the Dublin Circuit Court. Ireland has passed the Data Protection Act of 2018 to give effect to GDPR.

As per Section 143 of the Act, where a data controller or processor does not appeal against a decision to impose fine, the Commission shall make an application in a summary manner to the Circuit Court for confirmation of the decision. The court then hears the application and confirms the decision, unless it sees good reason not to do so.

You can read the European Data Protection Board’s binding decision on the issue here.


Do subscribe to our Telegram group for more resources and discussions on tech-law. To receive weekly updates, don’t forget to subscribe to our Newsletter.

Rohit Ranjan Praveer

Rohit is a practicing advocate at Delhi. Beginning as a tech enthusiast, Rohit always had a keen interest in computer forensics and information security. Building upon these fundamentals, he has undertaken extensive research on various techno-legal topics and continues his pursuit pass on valuable information to the masses, with a zeal to build something that outlasts him.​

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.