The Irish Data Privacy Commissioner (ODPC) is investigating exactly how much data Twitter collects from its URL shortening systemt t.co.
| ODPC investigates Twitter over alleged user tracking under GDPR.
Twitter is being investigated by ODPC following its refusal to provide a user with data about how he is tracked.
Privacy researcher Michael Veale complained when Twitter refused to fulfill an access request for all personal information held on him. Specifically, Twitter refused to disclose tracking data from when he clicked on t.co links held in other users’ tweets. The platform argued it would take a “disproportionate effort”.
Veale believes Twitter obtains information when users click on t.co-shortened links, and possibly uses them to track users using cookies.
What is Twitter’s t.co?
As first reported by Fortune, the investigation centre’s on Twitter’s use of its URL-shortening service, t.co. The service measures how many clicks a link receives and also helps to curb the spread of malware. This is confirmed in a letter obtained by The Verge sent to Veale by the ODPC:
The DPC has initiated a formal statutory inquiry in respect of your complaint, …The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Data Protection] Act have been contravened by Twitter in this respect.
t.co was originally designed as a way to save characters in the limited space of a tweet. Link-shortening has also been proven to be an effective tool at fighting malware and gathering rudimentary analytics. Analytics services can also present a significant privacy risk when when used in private messages. Both Twitter and Facebook have faced lawsuits for collecting data on links shared in private messages. However, no wrong-doing was conclusively established in either of these cases.
Why the ODPC investigates Twitter
Under the GDPR, EU residents have the right to request a copy of their personal data from a Data Controller. As the Data Controller in this case, Twitter has a legal obligation to provide that data. This process is referred to as a Subject Access Request (SAR).
Michael Veale commented:
Data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests,
Twitter refused to hand over the data it recorded when Veale clicked on links in other people’s tweets. The company claimed that providing this information would take a disproportionate effort. In August, Veale complained to the ODPC, which told him that it would be opening an investigation. Like many other big tech firms, Twitter’s European HQ is in Dublin, which is why Veale complained in Ireland.
According to the ODPC’s letter, Veale’s complaint will be handled by the new European Data Protection Board, since it involves “cross-border processing”.
ODPC investigates Twitter this week… who will be next?
Any company caught breaching GDPR faces fines of up to €20 million or up to 4% of global annual revenue. Whichever is bigger. Twitter’s 2017 revenues totalled $2.4 billion. So, in theory a GDPR fine could run to $96 million for the company. However, this would require the Irish DPC to decide the offense was particularly scandalous.
Twitter declined to comment on the investigation.