The announcement of a EUR450,000 fine on Twitter by the Irish Data Protection Commissioner is the DPC's first standalone fine for a failure to comply with notification obligations under Article 33 of GDPR. To its credit, Twitter has publicly acknowledged the issue and stated that it has made changes to its incident response process so that incidents are reported in a timely fashion.

There is a lot to get through in the notice - more to come on that in due course. What immediately jumps out is the scope and breadth of objections raised by numerous other European DPAs. These covered such issues as the competence of the Irish DPC, the potential infringements of GDPR which were investigated (or not), the calculation of the proposed fine, and the qualification of Twitter, Inc. as a processor and Twitter Ireland as a controller.

Obviously this process is designed to collect, review and decide on disagreements between DPAs, and this is the first time a determination has been reached using this process. However, the differing approaches taken by the DPAs in the process really do highlight that there appears to be a long way to go in achieving consistency in what, and how, they investigate.