Twitter may be the first big technology firm to face a fine by the EU’s lead regulator under the region’s tougher data protection rules after it submitted a preliminary decision in a probe into the social media firm to other member states.
Ireland’s Data Protection Commission (DPC) also said on Friday it had sent a preliminary decision to Facebook-owned WhatsApp for their submissions and made further progress in three other investigations related to Facebook.
Ireland hosts the European headquarters of a number of U.S. technology firms, making the DPC the EU’s lead regulator under the bloc’s General Data Protection Regulation’s (GDPR) “One Stop Shop” regime introduced in 2018.
The new rules give regulators the power to impose fines for violations of up to 4% of a company’s global revenue or 20 million euros ($22 million), whichever is higher.
Under GDPR, the DPC must share its preliminary decision with all concerned EU supervisory authorities and consider their views in its final verdict. Each of the bloc’s regulators may be called on for a majority decision if agreement cannot be reached.
The DPC is not commenting on the substance of the preliminary Twitter decision at this point, Deputy Commissioner Graham Doyle told Reuters.
The Twitter ruling relates to a 2019 probe into a bug in its Android app, where some users’ protected tweets were made public. Twitter is the subject of two of the 20 other inquiries the DPC had open into big tech firms at the end of 2019.
A spokeswoman for Twitter declined to comment.
Facebook has come under most scrutiny, with eight individual probes, plus two into WhatsApp and one into Facebook-owned Instagram.
The DPC said it had moved to the decision-making phase of a complaint-based inquiry which focuses on Facebook Ireland’s obligations to establish a lawful basis for personal data processing.
It said it had also sent draft inquiry reports to the complainants and companies concerned in two further inquiries concerning Instagram and WhatsApp.