Page Loader
Twitter faces privacy watchdog investigation after denying user data request

Twitter faces privacy watchdog investigation after denying user data request

Oct 14, 2018
07:06 pm

What's the story

Ireland's Data Protection Commission (DPC) is investigating Twitter over the data it collects using its link shortening service, t.co. The move from the privacy watchdog came after a user claimed that the company denied handing over his data, violating his right to request data under the GDPR - EU's comprehensive new privacy law. Here's more on it.

Issue

Questions raised over link tracking data

Twitter uses its link shortening system as a tool to prevent malicious links from spreading as well as to determine the number of clicks on a link. However, UK-based privacy researcher Michael Veale suspected these short links might be tracking browser cookies and recording device information and timestamps, making it feasible for Twitter to track their location while surfing.

Data request

So, he requested data collected by Twitter

Veale exercised his 'Right To Understand' under GDPR and asked Twitter to provide all the data it had collected on him via t.co. Under GDPR, every EU citizen has a right to request data collected on them by any company. But, Twitter denied that request, citing an exception to GDPR for demand involving a disproportionate effort. This prompted Veale to file a complaint.

Quote

Here's what DPC told Veale post launching an investigation

"The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect," DPC reportedly told Veale.

Twitter's first probe

Notably, this is GDPR's first probe against Twitter

This is the first case of GDPR-related investigation against Twitter. The company has not issued a statement on the matter, but Veale says it is misinterpreting the law's text to restrict his right to access. If it is revealed the service is collecting location information and other critical data via short links in violation of GDPR, it could face fines up to $96 million.