Ireland’s Data Protection Commission handed down a fine of 450,000 euro to Twitter after finding that the social media platform violated the European Union’s General Data Protection Regulation (GDPR).

The fine was announced on Tuesday and is notable because Twitter is the first US-based tech firm to receive a GDPR-related penalty.

GDPR was implemented in 2018 and mandates that the companies operating in the EU need approval from EU-based users to download cookies onto their devices, among other privacy requirements not enforced in many parts of the world. The fine handed to Twitter was because of a violation of the protocol needed when handling privacy breaches.

What Twitter was accused of doing

Under the GDPR, when a company becomes aware of a breach or cyberattack that compromises users’ privacy, they are supposed to notify regulators within 72 hours. On top of that, the companies have to provide detailed documentation to authorities about what happened.

Ireland’s Data Protection Commission found that in early 2019, Twitter ran afoul of the criteria when it discovered a bug that made some Android users’ private tweets accessible from the open web.

The watchdog said in a press release that Twitter infringed Article 33(1) and 33(5) of the GDPR in terms of failure to notify the breach on time and document it.

The task for the Irish regulator

Damien Kieran, Twitter’s Chief Privacy Officer, and Global Data Protection Office, worked together with the IDPC to support the investigation. Damien says it was overlooked due to an unforeseeable staffing decision between Christmas Day 2018 and New Year’s.

Twitter notified the IDPC, but it was outside the 72-hour statutory notice period.

After a two-year investigation, the fine was handed out by the Irish regulator because Twitter’s European head office is located in the country, alongside many other US-based tech companies. Many of the companies have their GDPR violations to deal with.