Twitter data breach case sparks dispute, as EU weighs first penalty against Silicon Valley under new privacy law

The new 2018 privacy law, known as GDPR, allows for hefty fines if tech companies fail to notify the EU of a data breach within 72 hours.

European Union privacy regulators are clashing over how much Ireland's data privacy watchdog will fine Twitter for a data breach disclosed last year, delaying a long-awaited decision in the first case involving a U.S. tech company under the bloc's tough new data privacy rules.

Continue Reading Below

Ireland’s Data Privacy Commission was expected to issue its decision in the Twitter case under the new privacy law, known as GDPR, which took effect in 2018 and allows for hefty fines if tech companies fail to notify them of a data breach within 72 hours, The Wall Street Journal reported.

But the commission said Thursday it triggered a dispute-resolution mechanism after its counterparts in other bloc countries, so-called concerned supervisory authorities, challenged a draft decision it circulated in May. It did not disclose the countries that challenged the draft.

TIKTOK'S PARENT COMPANY BYTEDANCE TO MOVE BACK INTO HONG KONG MARKET 

“A number of objections were raised,” the Irish regulator said in a brief statement. “However, following consultation, a number of objections were maintained and the (Irish Data Privacy Commission) has now referred the matter to the European Data Protection Board," the independent body representing the bloc's privacy regulators.

The board has up to two and a half months to come up with a decision.

Twitter and other U.S. tech companies like Apple, Facebook and Google have their European headquarters in Dublin, making the Irish watchdog their lead privacy regulator in the EU.

TRUMP SIGNALS PRESSURE ON ALIBABA, OTHER CHINESE COMPANIES AFTER BYTEDANCE

The delay in the Twitter case also slows nearly two dozen other investigations into data breaches at other U.S. tech companies in Silicon Valley under the new law, the Journal reported.

Under GDPR, companies that don't make timely disclosures can be fined up to 10 million euros ($12 million) or 2% of a company’s annual revenue, whichever is higher. In 2019 Twitter's revenue reached $3.46 billion, making a potential fine worth up to $69 million.

The Twitter case stems from a security breach that affected its Android app users and let anyone view protected tweets over more than four years. The Irish regulator said in a June report it was investigating the company for failure to report the breach within 72 hours. Twitter said it fixed the breach in January 2019.

GET FOX BUSINESS ON THE GO BY CLICKING HERE

When determining penalties, regulators are supposed to consider the gravity and duration of the breach, the type of personal information involved, and whether the violation was intentional or was part of a broader pattern.

CLICK HERE TO READ MORE ON FOX BUSINESS

The Associated Press contributed to this report.