Twitter faces privacy watchdog investigation after denying user data request
What's the story
Ireland's Data Protection Commission (DPC) is investigating Twitter over the data it collects using its link shortening service, t.co. The move from the privacy watchdog came after a user claimed that the company denied handing over his data, violating his right to request data under the GDPR - EU's comprehensive new privacy law. Here's more on it.
Issue
Questions raised over link tracking data
Twitter uses its link shortening system as a tool to prevent malicious links from spreading as well as to determine the number of clicks on a link. However, UK-based privacy researcher Michael Veale suspected these short links might be tracking browser cookies and recording device information and timestamps, making it feasible for Twitter to track their location while surfing.
Data request
So, he requested data collected by Twitter
Veale exercised his 'Right To Understand' under GDPR and asked Twitter to provide all the data it had collected on him via t.co. Under GDPR, every EU citizen has a right to request data collected on them by any company. But, Twitter denied that request, citing an exception to GDPR for demand involving a disproportionate effort. This prompted Veale to file a complaint.
Quote
Here's what DPC told Veale post launching an investigation
"The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect," DPC reportedly told Veale.
Twitter's first probe
Notably, this is GDPR's first probe against Twitter
This is the first case of GDPR-related investigation against Twitter. The company has not issued a statement on the matter, but Veale says it is misinterpreting the law's text to restrict his right to access. If it is revealed the service is collecting location information and other critical data via short links in violation of GDPR, it could face fines up to $96 million.