Twitter Under Formal Investigation for How It Tracks Users in the GDPR Era
Twitter Under Formal Investigation for How It Tracks
Users in the GDPR Era
·
GDPR Is Going to Cause American Companies
Trouble
·
They could face some hefty fines if they don’t
comply
By DAVID MEYER October 12, 2018
Twitter is being investigated by Irish privacy
authorities over its refusal to give a user information about how it tracks him
when he clicks on links in tweets.
When Twitter users put links into tweets, the service
applies its own link-shortening service, t.co, to them. Twitter says this
allows the platform to measure how many times a link has been clicked, and
helps it to fight the spread of malware through dodgy links.
However, privacy researcher Michael Veale, who works at
University College London, suspects that Twitter gets more information when
people click on t.co links, and that it might use them to track those people as
they surf the web, by leaving cookies in their browsers.
As is his right under the new General Data Protection
Regulation (GDPR)—the sweeping set of privacy rules that came into effect
across the EU in May—Veale asked Twitter to give him all the personal data it
holds on him.
The company refused to hand over the data it recorded
when Veale clicked on links in other people’s tweets, claiming that providing
this information would take a disproportionate effort. So, in August, Veale
complained to the Irish Data Protection Commission (DPC), which on Thursday
told him it was opening an investigation. As is common with big tech firms,
Twitter’s European operations are headquartered in Dublin, which is why Veale
complained in Ireland.
“The DPC has initiated a formal statutory inquiry in
respect of your complaint,” the watchdog said in a letter to Veale. “The
inquiry will examine whether or not Twitter has discharged its obligations in
connection with the subject matter of your complaint and determine whether or
not any provisions of the GDPR or the [Irish Data Protection] Act have been
contravened by Twitter in this respect.”
The regulator also said the complaint was likely to be
handled by the new European Data Protection Board—a body that helps national
data protection authorities coordinate their GDPR enforcement efforts—as
Veale’s complaint “involves cross-border processing.”
When Twitter told Veale that it would not hand over the
data it held on his tracking via t.co links, it claimed the GDPR allowed it to
do so on “disproportionate effort” grounds. However, Veale said Twitter was
misinterpreting the text of the law, and that this exemption cannot be used to
limit so-called access requests, such as the one he made.
This appears to be the first GDPR investigation to be
opened in relation to Twitter. Veale recently prompted a similar probe into
Facebook, again over a refusal to hand over data held on users’ web-browsing
activities, but Facebook was already the subject of multiple GDPR
investigations.
“Data which looks a bit creepy, generally data which
looks like web-browsing history, [is something] companies are very keen to keep
out of data access requests,” said Veale.
The researcher said Twitter was definitely recording the
times at which users clicked on links, and probably also information about the
kinds of device they were using. He added that it was technically possible for
Twitter to determine the user’s rough location—Twitter’s privacy policy says
advertisers might collect IP addresses when people click on their links—but it
was unclear what Twitter did with the information it harvested through its t.co
service.
“The user has a right to understand,” Veale said.
If companies are found to be breaching the terms of the
GDPR, they face fines of up to €20 million ($23.2 million) or up to 4% of
global annual revenue, whichever is bigger. Twitter’s 2017 revenues totalled
$2.4 billion, so in theory a GDPR fine could run to $96 million for the
company—though this would require the Irish DPC to decide the offense was
particularly egregious.
Twitter declined to comment on the investigation.
Comments
Post a Comment