Twitter was fined €450,000 (£400,000) by the Data Security Tribunal in Ireland for violating the European GDPR data privacy laws.
This is the first time that the EU regulator has penalised a major US tech company under GDPR legislation.
It ruled that it had not been informed by Twitter within 72 hours of the detection of a data breach in January 2019, and also that it had not properly reported what had happened.
Twitter has taken responsibility for this.
In the statement, the corporation accused the company of an unanticipated consequence of staffing” during the period between Christmas Day 2018 and 1 January 2019 of failing to comply with the notice to the regulator within 72 hours of the detection of the breach.
“We respect the IDPC’s decision, which relates to a failure in our incident response process,” said Damien Kieran, Twitter’s Chief Privacy Officer and Global Data Security Officer.
The IDPC said it agreed that the fine was an effective, proportionate and dissuasive measure”
It referred to a flaw involving Android users that made their tweets private-it meant that if they made any improvements to their account, their tweets might have been made public in error. The bug was back in 2014, the company said at the time.
It was revealed in January 2019 and the DPC launched its investigation shortly afterwards.
Darren Wray, of the privacy company Guardum, said the penalty was a warning that the teeth of the GDPR were “getting sharper”
“This case should send a message to large tech firms that they need to take their data privacy responsibilities very seriously,” he said.
The fine is not linked to the theft of celebrity Twitter accounts that occurred in the summer.