Irish DPA Reviews Twitter for Potential GDPR Violations

Twitter is being investigated by the Data Protection Authority (DPA) in Ireland over a possible GDPR violation. Twitter is alleged to have failed to comply with a user’s request for information – a requirement of GDPR.

Michael Veale, a privacy researcher from University College London, alerted the DPA that Twitter had denied his requests for further information on the data they collect on users of the platform.  Mr. Veale requested the information from Twitter because he felt that the platform was collecting more data from users who use the t.co link-shortening service than was explained in its terms and conditions. Mr. Veale believed that users were being tracked by means of cookies.

The DPA wrote a letter to Mr. Veale stating that DPC had initiated an inquiry following receipt of his complaint. They will examine whether Twitter discharged its obligations as alleged, in violation of GDPR and/or the Irish Data Protection Act.

The EU’s General Data Protection Regulation has been enforceable since May 25 2018, and companies are required to provide European citizens with information regarding the data collected from them and how data are processed. They are also required to respond to requests from consumers.

Mr. Veale was also the person who initiated the investigation into Facebook by the Irish DPA earlier this year when he filed a complaint when Facebook failed to respond to his request for information.

Mr. Veale said “Data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests.” However, he believes that consumers have a right to understand what is happening.

If Twitter breached the terms of GDPR it could be fined up to €20 million ($23.2 million) or 4% of its global yearly revenue, whichever is greater. Twitter’s overall revenue in 2017 was $2.4 billion. While unlikely, a fine of $96 million would be possible.

Twitter has not commented on the DPA investigation. Mr. Veale explained that he had had a response from Twitter explaining that the request could not be honored because of the “disproportionate effort” required.

Since GDPR came into effect in May, many data privacy advocates such as Mr. Veale are subjecting social media platforms to stringent investigations. Austrian lawyer and privacy campaigner Max Schrems has also filed several complaints in different jurisdictions against Facebook, WhatsApp and Instagram, in his case, within hours of the GDPR enforcement date.