Ireland's data regulator has fined Twitter €450,000, in the first sanction against the company under new EU data privacy laws.
Twitter was found to have breached GDPR rules - or General Data Protection Regulation - relating to a data breach discovered in 2018, whereby tweets by users who had protected accounts were actually unprotected and viewable to the wider public.
If a user protects their account, it means only their approved followers should be able to see their tweets.
However a bug in Twitter's system meant if users on an Android device changed the email address associated with their account, the protected tweets became unprotected without the user's knowledge.
Ireland’s Data Protection Commission (DPC) said Twitter had infringed GDPR due to its failure to notify the breach on time, and its failure to adequately document the breach.
“The DPC has imposed an administrative fine of €450,000 on Twitter as an effective, proportionate and dissuasive measure,” it said.