RegSol Blog

DPC’s €450K Fine on Twitter: Too little?

December 2020

The Data Protection Commission (DPC) has today announced a conclusion to a GDPR investigation it conducted into Twitter International Company. This decision put an end to an investigation dating back from January 2019 following the identification of a bug that meant that some private messages on twitter from android phone users could be publicly viewed. 

The DPC’s draft decision was the first to go through the GDPR’s dispute resolution process under Article 60 and the first Draft Decision in a big tech case on which all EU supervisory authorities were consulted. In accordance with Article 65(6), where a number of other European Supervisory authorities raise objections in relation to the Irish DPC’s draft decision, and the Irish DPC is of the opinion the objections are not relevant, the matter is referred to the European Data Protection Board (EDPB)’s consistency mechanism. 

The DPC’s final decision is then based on the EDPB’s and must be adopted without undue delay and at the latest by one month after the EDPB has notified its Decision to the DPC.


Stemming from a breach notification from Twitter last year, the DPC has found that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of a failure to notify the breach on time to the DPC (within 72 hours) and a failure to adequately document the breach. The DPC has imposed an administrative fine of €450,000 on Twitter as “an effective, proportionate and dissuasive measure.”

Putting this into context, Twitter has 187 million daily users with a 6.48% share of the European Social Media market. Users document their thoughts in “tweets”, which at the time of writing, are limited to 280 characters in the English language. Twitter was recently found to be the 45th most visited website in the world. In terms of the Breach, Twitter informed the Commission that, as far as they can identify, between 5 September 2017 and 11 January 2019, 88,726 EU and EEA users were affected by this bug. 

Twitter confirmed that it dates the bug to 4 November 2014, but it also confirmed that they can only identify users affected from 5 September 2017. In this regard, it is possible that more users were impacted by the Breach. As such, the German, Austrian and Italian Supervisory Authorities would have expected the fine to be greater up to €22 million.

GDPR, which came into effect in May 2018, allows the DPC to fine companies up to 4% of their global turnover of the previous year or €20 million, whichever is greater, for contraventions of these regulations. Due regard is to be given to the nature, gravity and duration of the infringement.

Perhaps Max Schrems, a privacy activist who recently tweeted in response to Twitter’s fine, puts it best: “0.016% of their revenue, in other words, they need 1.5 hours to make that amount in revenue and pay the fine.” As for being a dissuasive and proportionate measure, the extent of this fine may certainly not act as a deterrent.

More information is available here: The European Data Protection Board has published the Article 65 decision and the final decision on its website HERE.

The DPC has published details on twitter available HERE

By Judy de Castro