is being investigated by Irish privacy authorities over its refusal
to give a user information about how it tracks him when he clicks on
links in tweets.
+3.67%) users put links into tweets, the
service applies its own link-shortening service, t.co, to them.
Twitter says this
allows the platform to measure how many times a link has been
clicked, and helps it to fight the spread of malware through dodgy
privacy researcher Michael Veale, who works at University College
London, suspects that Twitter gets more information when people
click on t.co links, and that it might use them to track those
people as they surf the web, by leaving cookies in their browsers.
is his right under the new General
Data Protection Regulation (GDPR)—the sweeping set of privacy
rules that came into effect across the EU in May—Veale asked Twitter
to give him all the personal data it holds on him.
company refused to hand over the data it recorded when Veale clicked
on links in other people’s tweets, claiming that providing this
information would take a disproportionate effort. So, in August,
Veale complained to the Irish Data Protection Commission (DPC),
which on Thursday told him it was opening an investigation. As is
common with big tech firms, Twitter’s European operations are
headquartered in Dublin, which is why Veale complained in Ireland.
DPC has initiated a formal statutory inquiry in respect of your
complaint,” the watchdog said in a letter to Veale. “The inquiry
will examine whether or not Twitter has discharged its obligations
in connection with the subject matter of your complaint and
determine whether or not any provisions of the GDPR or the [Irish
Data Protection] Act have been contravened by Twitter in this
regulator also said the complaint was likely to be handled by the
new European Data Protection Board—a body that helps national data
protection authorities coordinate their GDPR enforcement efforts—as
Veale’s complaint “involves cross-border processing.”
Twitter told Veale that it would not hand over the data it held on
his tracking via t.co links, it claimed the GDPR allowed it to do so
on “disproportionate effort” grounds. However, Veale said Twitter
was misinterpreting the text of the law, and that this exemption
cannot be used to limit so-called access requests, such as the one
appears to be the first GDPR investigation to be opened in relation
to Twitter. Veale recently prompted a similar
probe into Facebook, again over a refusal to hand over data
held on users’ web-browsing activities, but Facebook(FB,
+0.29%) was already the subject of multiple GDPR investigations.
which looks a bit creepy, generally data which looks like
web-browsing history, [is something] companies are very keen to keep
out of data access requests,” said Veale.
researcher said Twitter was definitely recording the times at which
users clicked on links, and probably also information about the
kinds of device they were using. He added that it was technically
possible for Twitter to determine the user’s rough
policy says advertisers might collect IP
addresses when people click on their links—but it was unclear what
Twitter did with the information it harvested through its t.co
user has a right to understand,” Veale said.
companies are found to be breaching the terms of the GDPR, they face
fines of up to €20 million ($23.2 million) or up to 4% of global
annual revenue, whichever is bigger. Twitter’s 2017 revenues
totalled $2.4 billion, so in theory a GDPR fine could run to $96
million for the company—though this would require the Irish DPC to
decide the offense was particularly egregious.
declined to comment on the investigation.