Michael Veale, a privacy researcher at University College London, sparked an investigation into Twitter and how it tracks users when they click on its shortened (t.co) links. When Veale requested all the information Twitter has stored about him, Twitter did not include the information it gathered from it’s t.co URL-shortening system. Under GDPR, EU citizens, like Veale, have a right to request any data a company collects about them.
Twitter’s reasoning for not sharing the information is based on a clause in the UK-wide Data Protection Act of 1998. The DPA includes an exemption for disclosing collected information if “providing the information in a permanent form would involve disproportionate effort.”
Veale responded by filing a complaint with the Irish Data Protection Commission (DPC). The DPC responded by saying that it “has initiated a formal statutory inquiry in respect of your complaint.”
The Irish Data Protection Commission said in a statement:
“The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”
Loopholes in GDPR
If Twitter provides no transparency into what kind of information it collects from these shortened t.co links, no one can know if the information is actually significantly minor compared to the effort required to get it. GDPR, like any regulation, has its loopholes for anyone collecting data to avoid disclosing their users’ data.
Invisible Data Chains
A company could be based in the EU with EU users, but they could transfer the data to a third party outside of the EU. If data can easily be transferred out of GDPR jurisdiction, users aren’t really protected. Companies could transfer your data to advertisers, or to entities set up outside the EU to allow for third party use.
Twitter or any company can collect any piece of information about you under GDPR, as long as they can demonstrate that they have a legitimate interest in doing so. This is the ultimate loophole for businesses, who stand to benefit greatly from more user data. The Information Commissioner’s Office (ICO) calls legitimate interests “the most flexible lawful basis for processing.”
Other Privacy Issues with Twitter
- Citron Research reported in March that Twitter is the social media company “most vulnerable to privacy regulation”. This was after Twitter reported that even as its own advertising revenue fell in the past year, while its data licensing revenue grew.
- In May 2018, Twitter had bug in the hashing process that masks passwords. Users’ passwords were then stored in plain-text to an internal log. As a result, up to 300 million users were told to change their passwords.