Ireland’s Data Protection Commission (DPC) concluded its investigation into Twitter and determined that the US social media giant violated the European Union’s General Data Protection Regulation (GDPR) rules.
The DPC’s probe was initially launched in January, 2019, when the agency was first notified of a possible violation linked to Twitter, according to a DPC statement on Tuesday, December 15. The investigation concluded that Twitter didn’t document the breach, nor did it notify officials in a timely manner, both required under GDPR mandates.
The GDPR mandates that most personal data breaches issue a notification within 72 hours of becoming aware of the issue.
The draft decision in May was submitted to other Concerned Supervisory Authorities under Article 60 of the GDPR. It was the first issue processed through Article 65 (“dispute resolution”) since the GDPR was launched. It also was the first draft decision regarding a Big Tech case that called on EU supervisory authorities to be consulted as Concerned Supervisory Authorities.
Damien Kieran, chief privacy officer and global data protection officer at Twitter, told TechCrunch that the company supported Ireland’s DPC’s investigation.
“An unanticipated consequence of staffing between Christmas Day 2018 and New Years Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period. We have made changes so that all incidents following this have been reported to the DPC in a timely fashion,” a spokesperson told TechCrunch.
Want more news? Subscribe to CPI’s free daily newsletter for more headlines and updates on antitrust developments around the world.