Twitter faces GDPR probe for refusing to comply with subject access request

Academic's request for information about how the platform tracks him denied as it would take 'disproportionate effort'

Twitter is being investigated for a potential General Data Protection Regulation (GDPR) breach after refusing to provide an academic with information about how he is tracked on the platform.

The social media network uses shortened t.co links as a way to track a handful of data points, including how many clicks longer links receive. They also help to curb the spread of malware and phishing attacks, the platform says.

Michael Veale, a researcher based at University College London (UCL), lodged a subject access request (SAR) to find out whether these links track more data on users than Twitter lets on.

But according to Fortune, the social media company denied his request on the grounds that providing this information would take "disproportionate effort".

Advertisement
Advertisement - Article continues below

Veale then escalated the issue with a complaint to the Irish Data Protection Commission (DPC), which confirmed in a letter last week that it would investigate whether Twitter's refusal to fulfill the request constitutes a GDPR breach.

The DPC also said it would consider engaging the European Data Protection Board, an independent advisory body that works to apply the consistent application of GDPR across the continent.

"The DPC has initiated a formal statutory inquiry in respect of your complaint," the regulator wrote.

"The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect."

Ireland's data watchdog is handling the case under GDPR's One Stop Shop principle, in which a lead investigator is nominated to investigate cross-border breaches. 

The rights of data subjects have considerably strengthened since GDPR came into force on 25 May. Under the new regulations, organisations are required to provide any data held on their users or customers within 30 days, subject to exceptions in the law.

These subject access requests (SARs) also operate in tandem with the right to be forgotten, which gives data subject the right to request that data held on them by any organisation is deleted, under reasonable circumstances.

Research published last month showed just 35% of EU-based companies are fulfilling SARs within the legal 30-day timeframe, which is true for 50% of firms based outside of Europe.

This case is being handled under GDPR since the request was made after the new regulations came into force.

IT Pro approached Twitter for comment, but did not get a response at the time of writing. A spokesperson for the DPC said a statement would follow.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019
Visit/business/business-strategy/354252/huawei-takes-the-us-trade-sanctions-into-its-own-hands
Business strategy

Huawei takes the US trade sanctions into its own hands

3 Dec 2019
Visit/mobile/mobile-phones/354273/pablo-escobars-brother-launches-budget-foldable-phone
Mobile Phones

Pablo Escobar's brother launches budget foldable phone

4 Dec 2019