The Data Protection Authority (DPA) in Ireland is investigating social media giant Twitter over possible GDPR non-compliance after the company did not comply with a user request for information.
A privacy researcher at the University College London, Michael Veale, submitted a report to the DPA informing them that Twitter denied his requests for information on the data they are collecting. Mr Veale lodged the request with Twitter as he felt that the social media platform was gathering additional data on users when they implement the link-shortening service, t.co, through the use of cookies that track them after they leave.
In a letter to Mr Veale, the DPA stated that “The DPC has initiated a formal statutory inquiry in respect of your complaint. The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”
Following the introduction of the European Union’s General Data Protection Regulation (GDPR) legislation on May 25 2018, European citizens must be provided with the data companies collect on them, and what they do with that date when the request it.
Mr Veale also prompted an investigation of Facebook via the Irish Data Protection body earlier this year when he lodged a complaint in relation to a similar refusal to provide data he had requested. Regarding his complaint linked with Twitter’s business practice, Mr Veale said “Data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests. The user has a right to understand”
Should Twitter be found in breach of the terms of the GDPR it would be subjected to fines of up to €20 million ($23.2 million) or up to 4% of global annual revenue. Based on Twitter’s $2.4 billion 2017 overall revenue a GDPR fine could possibly run to $96 million for the company. Twitter has yet to release a comment on the investigation by the DPA. However, when Mr Veale first submitted the request to the company they advised him that it was unable to provide it due to the “disproportionate effort” it would require.
Since GDPR was introduced by the EU in May social media platforms has been subjected to stringent investigation by private data advocates like Mr Veale. Hours after the legislation became enforceable Austrian Lawyer and privacy campaigner Max Schrems filed multiple cases, in multiple jurisdictions, against Facebook and its subsidiaries WhatsApp and Instagram. You can read more about that story here.