Twitter investigated for possible GDPR breach

Twitter is currently being investigated by Irish privacy authorities for not disclosing how it tracks a user when they click on links in tweets.

When users put links into tweets, the platform applies its own link shortening service, which Twitter claims to measure how many times a link has been clicked as well as helping to fight against malware.

Michael Veale, a privacy researcher at University College London, suspects that Twitter might be in fact using the links to track people as they navigate the internet.

According to the new Data Protection Regulation (GDPR), it is the right of Mr. Veale to know how or whether the social media platform tracks him through the internet.

Upon asking Twitter to give him his personal data, the company refused to hand over information it recorded when he clicked on links in other people’s tweets and claimed that doing so would take a disproportionate effort.

In August a complaint was made to the Irish Data Protection Commission (DPC), which on Thursday notified Veale that it was to open an investigation.

In a letter, the watchdog said that, “The DPC has initiated a formal statutory inquiry in respect of your complaint”.

It continued, saying that, “The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”

It is likely that the complaint will be handled by the new European Data Protection Board, which assists national data protection authorities to coordinate GDPR enforcement efforts.

Although it appears that the investigation is the first to be opened in relation to Twitter, Facebook is already the subject of multiple investigations.

Veale said that, “data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests.”

The researcher said that Twitter was “definitely” recording the times at which users clicked on links, as well as the possibility of knowing what device a user is using.

Companies that breach the terms of GDPR could face fines of up to €20 million or up to 4% of global annual turnover.

It is unlikely however, that Twitter would face severe punishment as a result of the investigation, although it could force the platform to comply with future requests.