The ruling relates to an incident publicly disclosed in early 2019 where a security glitch had made some users’ private tweets public, and Twitter failed to send a breach notification to the DPC within 72 hours of its discovery of such an event, as is required under GDPR.
The regulator said the penalty was an “effective, proportionate and dissuasive measure”.
Responding to the fine, Twitter said it respected the DPC’s decision and had made changes in response to the incident.
“Twitter worked closely with the Irish Data Protection Commission (@DPCIreland) to support their investigation. We have a shared commitment to online security and privacy, and we respect their decision, which relates to a failure in our incident response process,” Twitter said in a statement posted to the platform.