Twitter is one on the latest tech giants to face scrutiny over data protection charges. An investigation has been launched by the Irish Data Protection Commission (IDPC) on charges of violating GDPR regulations by declining to provide user with tracking data.
This issue all stems from Twitter’s link shortening system. When users share links on Twitter, the service applies its own t.co link-shorting service, which the company claims allows it to measure how many times a link has been clicked and helps it to fight the spread of malware on the platform. Privacy researcher Michael Veale became suspicious of the system, believing that Twitter recorded more data than they claim to be, like device info, IP addresses and timestamps and that it was technically feasible for the company to gauge someone’s approximate location and to track those people as they browse the web.
Naturally Veale evoked his “right of access to personal data” which under GDPR gives him the right to receive from Twitter:
- confirmation of whether you are processing their data
- other supplementary information (including mandatory privacy information)
- a copy of the personal data being processed
Twitter declined to hand over the data, claiming GDPR allowed it to do so on the grounds of “disproportionate effort”, but Veale said this exemption cannot be used to limit access requests from users..
Veale then complained to the IDPC and received a response on October 11th through letter saying “The DPC has initiated a formal statutory inquiry in respect of your complaint,” “The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”
The IDPC also noted that, as Veale’s complaint involved “cross-border processing”, the complaint would likely be handed to the new European Data Protection Board.
Twitter declined to comment, saying only that it was “actively engaged” with the IDPC. If found to be in breach of GDPR, the company could face a fine of up to €20m or up to 4 per cent of its global annual revenue.