The U.S. social-media giant last year warned the Irish authority of a potentially disabled privacy setting that put some devices running on Google’s Android mobile operating system at risk. The Irish authority’s investigation started in January 2019. Because it potentially affected users throughout the EU, the regulator had to send the draft findings of its probe to other authorities, dragging out a process that critics complained took far too long.
“We’re sorry it happened,” Damien Kieran, Twitter’s chief privacy officer and global data protection officer, said in a statement.
The company said its failure to notify the breach in time was due to an “unanticipated consequence of staffing between Christmas Day 2018 and New Years’ Day” and that its has since made changes “so that all incidents following this have been reported” in a “timely fashion.”
Cases at the Irish data-protection regulator have been piling up since the bloc’s tough General Data Protection Regulation took effect in May 2018. The slow pace has attracted criticism from privacy advocates and other EU regulators, which have no power to decide on cases concerning wider European violations by companies with an Irish EU base.
GDPR allows regulators to levy penalties of as much as 4% of a company’s annual revenue for the most serious violations. The biggest fine to date under the EU’s data protection rules was a 50 million-euro penalty for Google issued by France’s watchdog CNIL.
Helen Dixon, Ireland’s privacy commissioner, has opened at least 20 probes into big tech firms since the EU’s new privacy rules took effect, including cases involving Apple Inc., Facebook Inc. and Microsoft Corp.’s LinkedIn.