Twitter has been fined €450,000 by the Data Protection Commission (DPC) for its handling of a data breach last year.

The regulator found that the social media network failed to notify it of the breach in time as required under the General Data Protection Regulation (GDPR).

It also found that it failed to adequately document the breach, contrary to GDPR requirements.

The administrative fine is the first sizeable one imposed on a big tech firm by the DPC under GDPR.

In a statement, the DPC said it was an "effective, proportionate and dissuasive measure".

The DPC began the probe in January 2019 after it received a breach notification from Twitter.

The subsequent investigation found that Twitter breached Article 33(1) and 33(5) of the GDPR.

The first of these requires a data controller to inform the supervisory authority within 72 hours of becoming aware of it.

Article 33(5) requires the controller to document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

The breach in question related to a bug in Twitter's Android app which meant some users' protected tweets were made public.

We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences

The DPC had submitted its draft decision in the case to other data regulators across Europe as required under GDPR earlier this year.

Some of those supervisory authorities were unhappy with the level of the proposed fine and it therefore ended up being referred to a dispute resolution mechanism under the European Data Protection Board (EDPB).

It was the first such case to go through this process since the introduction of GDPR in May of 2018.

The EDPB made its decision in November and this morning published the final ruling.

Under GDPR, fines of up to €30m or 4% of global turnover, whichever is higher, can be imposed on companies for breaching the regulation.

The DPC, which is the lead supervisory authority for many large tech companies that use Ireland as their base for the European market, has come under pressure in recent years to clamp down on their activities.

In a statement, Twitter said it respects the DPC's decision, which relates to a failure in its incident response process. 

"An unanticipated consequence of staffing between Christmas Day 2018 and New Years' Day resulted in Twitter notifying the IDPC outside of the 72 hour statutory notice period," it said.

"We have made changes so that all incidents following this have been reported to the DPC in a timely fashion." 

Twitter added that it takes responsibility for the mistake and remains fully committed to protecting the privacy and data of customers.

Irish Council for Civil Liberties disappointed at 'meagre' Twitter fine

The Irish Council for Civil Liberties has said it is disappointing that the Data Protection Commissioner chose to fine Twitter a "meagre" amount for a breach of data rights under the General Data Protection Regulation (GDPR). 

The Spanish, Dutch, French, German, Austrian, Italian and Hungarian GDPR enforcers have all taken issue with the DPC's actions.

Johnny Ryan, the Senior Fellow on ICCL's information rights programme, said that for the first time, we had an evaluation of the DPC's actions by its European peers. 

"What has been exposed is sobering. Among many problems they identified, Italian, Hungarian, Austrian and German enforcers said the DPC was imposing a far too modest fine," Mr Ryan said.

He said the law allows for a fine in Twitter's case of $60m while the German regulator had wanted a fine in the range of €7.3m to €22m. 

"The European Data Protection Board made a binding decision that the DPC must reassess the level of the fine, setting a fine large enough to discourage Twitter from future breaches. In response, the DPC issued a fine that is only marginally more than it had proposed and unlikely to discourage future breaches," Johnny Ryan said.