Twitter Fined €450,000 Under GDPR Over ‘Protected’ Settings Bug

A bug in Twitter for Android discovered in late 2018 has come back to bite the microblogging company in the form of a hefty fine from the Data Protection Commission (DPC), the authority upholding EU citizens’ data protection rights.

A press release from the commission this week says its investigation into Twitter, launched after a receipt of a breach notification, has found that Twitter infringed Articles 33(1) and 33(5) of the GDPR “in terms of a failure to notify the breach on time to the DPC and a failure to adequately document the breach.”

The commission has thus fined Twitter €450,000 ($550,000) “as an effective, proportionate and dissuasive measure.”

So what happened two years ago that led to this week’s penalty? As some users might remember, a bug in Twitter for Android discovered in late 2018 led to some users exposing their Tweets to the world thinking they were “protected” – the setting that allows a user to let only a specific set of followers see those Tweets.

In the Background section point 1.11 of the decision (PDF), the DPC explains the bug as follows:

“The personal data breach that is the subject of this Decision (‘the Breach’) relates to a ‘bug’ in Twitter’s design. A user of Twitter can decide if their tweets will be “protected” or “unprotected”. In the former case, only a specific set of persons (followers) can read the user’s protected tweets. The bug that resulted in this data breach meant that, if a user operating an Android device changed the email address associated with that Twitter account, their tweets became unprotected and consequently were accessible to the wider public without the user’s knowledge.”

Twitter would have handled the problem in due time, had it not been understaffed at the time, the social media giant said in a statement to TechCrunch.