The European Union has levied a fine of €450,000 against social media platform Twitter for violating a privacy law instituted in 2018.
The fine, equal to about $546,000, is the first issued under the law to an American technology company. It stems from a breach publicized in January 2019 that, for at least four years, exposed the private Twitter messages of some users.
Twitter failed to comply with the law's requirements to document the breach and notify Ireland's Data Protection Commission within 72 hours, according to the commission. Because Twitter has a regional office in Ireland, the commission is charged with enforcing the EU's General Data Protection Regulation against the platform.
The commission found that Twitter's breach was negligent, not intentional, and did not impose the maximum fine of 2% of the company's worldwide annual revenue. That would have amounted to $60 million, according to its 2018 data.
Other U.S. tech companies also have offices in Ireland and are under investigation by the same commission for privacy matters, including Google, Apple, and Facebook.
The Twitter case lasted for two years. Critics such as David Martin, who works at a European consumer rights organization, say actions against privacy violations under the 2018 law are too slow in coming.
"We are coming to a turning point where the GDPR really needs to start delivering," he said. "The credibility of the whole system is at stake if enforcement doesn't improve."