Twitter is, according to a Fortune report Friday, under investigation by Irish privacy authorities for violating the General Data Protection Regulation (GDPR).

A report was filed by Michael Veale, a privacy researcher at the Unversity College London, with the Irish data protection (DPA) and complained that Twitter refused to give him records on waht sort of data was being collected by by him.

Veale was suspicious that Twitter was collecting additional data on users that click on links made by its link-shortening service, t.co, and that it drops cookies into users browsers to track them after they leave.

Under GDPR rules, data subjects can ask companies to provide a copy of data that they collect, as well as amend, move and delete it. Companies found in breach of GDPR can be assessed fees up to €20 million, or 4 percent of their annual revenue, whichever is higher.

When Veale asked for a copy of his data, Twitter told him no, saying it would take a “disproportionate effort,” an exception allowed under GDPR. Veale said that Twitter was wrong, and that the exemption cannot be used to refuse the type of request he made.

According to Eyal Katz, senior marketing manager for Namogoo’s GDPR Insights, if t.co is considered by the authorities to help “enrich personal data with click tracking history, then the entire martech ecosystem could be heading for a GDPR tailspin.”

GDPR carries fines of up to 4 percent of a company’s total global revenue.

“Twitter may find themselves in a bind here because even if they don’t necessarily collect personal data themselves using t.co, they most likely share that information with other third-party tracking and monitoring software providers,” Katz said. “Those providers can use t.co’s click tracking data to enrich their own, and create an online persona that can then be used to target online marketing campaigns … it is predominantly online publishers that face the most risk because like Twitter, Facebook, and Google, it is publishers who are the data collectors in this scenario and they will need to keep a very close eye on their software vendors.”

Here is more information about the situation:

  • This is the first GDPR investigation for Twitter. European regulators are already investigating complaints against Facebook and Google.
  • Veale is a veteran agitator: he prompted a similar probe into Facebook earlier this year. He issued this complaint against Twitter to the Irish Data Protection Commission (DPC) because Twitter’s European operations headquarters are in Dublin.
  • Forbes reports that because the complaint “involves cross-border processing,” it would likely to be handled by the new European Data Protection Board, which coordinates DPA GDPR efforts across regions.

Source –