European Union privacy regulators are clashing over how much Ireland's data privacy watchdog will fine Twitter for a data breach disclosed last year, delaying a long-awaited decision in the first case involving a U.S. tech company under the bloc's tough new data privacy rules.
Ireland’s Data Privacy Commission was expected to issue its decision in the Twitter case under the new privacy law, known as GDPR, which took effect in 2018 and allows for hefty fines if tech companies fail to notify them of a data breach within 72 hours, The Wall Street Journal reported.
But the commission said Thursday it triggered a dispute-resolution mechanism after its counterparts in other bloc countries, so-called concerned supervisory authorities, challenged a draft decision it circulated in May. It did not disclose the countries that challenged the draft.
“A number of objections were raised,” the Irish regulator said in a brief statement. “However, following consultation, a number of objections were maintained and the (Irish Data Privacy Commission) has now referred the matter to the European Data Protection Board," the independent body representing the bloc's privacy regulators.
The board has up to two and a half months to come up with a decision.
Twitter and other U.S. tech companies like Apple, Facebook and Google have their European headquarters in Dublin, making the Irish watchdog their lead privacy regulator in the EU.
The delay in the Twitter case also slows nearly two dozen other investigations into data breaches at other U.S. tech companies in Silicon Valley under the new law, the Journal reported.
Under GDPR, companies that don't make timely disclosures can be fined up to 10 million euros ($12 million) or 2% of a company’s annual revenue, whichever is higher. In 2019 Twitter's revenue reached $3.46 billion, making a potential fine worth up to $69 million.
The Twitter case stems from a security breach that affected its Android app users and let anyone view protected tweets over more than four years. The Irish regulator said in a June report it was investigating the company for failure to report the breach within 72 hours. Twitter said it fixed the breach in January 2019.
When determining penalties, regulators are supposed to consider the gravity and duration of the breach, the type of personal information involved, and whether the violation was intentional or was part of a broader pattern.
The Associated Press contributed to this report.