Twitter in violation of GDPR?

  • A report has been filed with the Irish data protection authority over Twitter’s refusal to share records about what kind of data it has collected.

  • Twitter has refused to release the record, requested by Michael Veale of University College London, on the grounds of “disproportionate effort” - an exception allowed under the General Data Protection Regulation (GDPR).

  • Veale suspects that Twitter collects extra data on users who click its shortened links.

  • If Irish privacy authorities convict Twitter, the company could be fined up to 4% of its annual revenue.


Irish privacy authorities are looking into whether Twitter was in breach of the European law when it refused to comply with a user's request to see his data.

According to a Fortune report Friday, Twitter is under investigation by Irish privacy authorities for violating the General Data Protection Regulation (GDPR).


Michael Veale, a privacy researcher at the Unversity College London, filed a report with the Irish data protection authority (DPA) complaining that Twitter refused to give him records on what kind of data was collected by him.

Veale’s request was prompted by suspicions that the social media platform collects additional data on users that click on links made by its link-shortening service, t.co, and that it drops cookies into user browsers to track them after they leave.

Under GDPR, data subjects are allowed to ask companies to provide a copy of the data they collect, as well as amend, move and delete it. Companies found in breach of GDPR can be assessed fees up to €20 million, or 4 percent of their annual revenue, whichever is higher.

When Veale asked for a copy of his data, Twitter told him no, saying it would take a “disproportionate effort,” an exception allowed under GDPR. Veale said that Twitter was wrong, and that the exemption cannot be used to refuse the type of request he made.

Why you should care

Eyal Katz, senior marketing manager for Namogoo’s GDPR Insights, said that if t.co is considered by the authorities to help “enrich personal data with click tracking history, then the entire martech ecosystem could be heading for a GDPR tailspin.”

GDPR carries fines of up to 4 percent of a company’s total global revenue.

“Twitter may find themselves in a bind here because even if they don’t necessarily collect personal data themselves using t.co, they most likely share that information with other third-party tracking and monitoring software providers,” Katz said. “Those providers can use t.co’s click tracking data to enrich their own, and create an online persona that can then be used to target online marketing campaigns … it is predominantly online publishers that face the most risk because like Twitter, Facebook, and Google, it is publishers who are the data collectors in this scenario and they will need to keep a very close eye on their software vendors.”

More about the news

  • This is the first GDPR investigation for Twitter. European regulators are already investigatingcomplaints against Facebook and Google.

  • Veale is a veteran agitator: he prompted a similar probe into Facebook earlier this year. He issued this complaint against Twitter to the Irish Data Protection Commission (DPC) because Twitter’s European operations headquarters are in Dublin.

  • Forbes reports that because the complaint “involves cross-border processing,” it would likely to be handled by the new European Data Protection Board, which coordinates DPA GDPR efforts across regions.

Ian Simpson