Twitter Under Review by Irish DPA for Possible GDPR Violations

The Data Protection Authority (DPA) in Ireland is looking into a possible GDPR breach by social media giant Twitter after the company did not complete a user request for information.

A privacy researcher at the University College London, Michael Veale, filed a report to the DPA advising them that Twitter denied his requests for information on the data they are obtaining.  Mr Veale submitted the request with Twitter as he believed that the social media platform was collecting additional data on users when they use the link-shortening service, t.co, through the use of cookies that track them after they leave.

In a letter to Mr Veale, the DPA said: “The DPC has initiated a formal statutory inquiry in respect of your complaint. The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”

After he introduction of the European Union’s General Data Protection Regulation (GDPR) legislation on May 25 2018, European citizens must be given the data companies collect on them, and what they do with it up to the date when the information was requested.

Mr Veale’s work also prompted an investigation of Facebook by the Irish Data Protection body earlier in 2018 when he submitted a complaint in relation to a similar refusal to hand over data he had requested. In relation to his complaint on Twitter’s business practice, Mr Veale said “Data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests. The user has a right to understand”

Should Twitter be ruled as being in breach of the terms of the GDPR it could be subjected to penalties of up to €20 million ($23.2 million) or up to 4% of global annual revenue. Based on Twitter’s $2.4 billion 2017 overall revenue a GDPR fine could be as high as $96 million for the company. Twitter has yet to make a statement on the investigation by the DPA. However, when Mr Veale first filed the request to the company they told him that it was unable to provide it due to the  “disproportionate effort” it would require.