abusesaffiliationarrow-downarrow-leftarrow-rightarrow-upattack-typeburgerchevron-downchevron-leftchevron-rightchevron-upClock iconclosedeletedevelopment-povertydiscriminationdollardownloademailenvironmentexternal-linkfacebookfiltergenderglobegroupshealthC4067174-3DD9-4B9E-AD64-284FDAAE6338@1xinformation-outlineinformationinstagraminvestment-trade-globalisationissueslabourlanguagesShapeCombined Shapeline, chart, up, arrow, graphLinkedInlocationmap-pinminusnewsorganisationotheroverviewpluspreviewArtboard 185profilerefreshIconnewssearchsecurityPathStock downStock steadyStock uptagticktooltiptwitteruniversalityweb
Subscribe Search
English
العربيّة
Deutsch
Español
Français
日本語
Português
Русский
한국어
简体中文
繁體中文
Article

16 Nov 2022

TechChrunch

EU: Twitter is facing claims that it is violating the General Data Protection Regulation

See all tags
Read more

"Is Elon Musk’s Twitter about to fall out of the GDPR’s one-stop shop?", 14. November 2022

Helmed by erratic new owner Elon Musk, Twitter is no longer fulfilling key obligations required for it to claim Ireland as its so-called main establishment under the European Union’s General Data Protection Regulation (GDPR), a source familiar with the matter has told TechCrunch. [...]

Like many major tech firms with customers across the European Union, Twitter currently avails itself of a mechanism in the GDPR known as the one-stop shop (OSS). This is beneficial because it allows the company to streamline regulatory administration by being able to engage exclusively with a lead data supervisor in the EU Member State where it is “main established” (in Twitter’s case, Ireland), rather than having to accept inbound from data protection authorities across the bloc.

Under the EU’s GDPR, meanwhile, Twitter is obliged — in just one very basic requirement — to have a data protection officer (DPO) to provide a contact point for regulators.

Hence the departure of Kieran, its first and only DPO since the role was created at the company in 2018, has not gone unnoticed by its data protection watchdog in Ireland — as we also reported Friday. But the Irish Data Protection Commission (DPC)’s concerns are already spiraling wider than Twitter’s compliance with notifications about core personnel: Last week, the authority — currently Twitter’s lead EU DPA under the GDPR’s OSS — put the social media firm on watch by signaling public concern when it said it would be putting questions to the company about the status of its main establishment in Ireland at a meeting scheduled for early this week, to discuss all the recent privacy changes since the Musk takeover. [...]

If the DPC assesses (or is informed by Musk) that it no longer has its main establishment in Ireland, the company will crash out of the OSS — opening it up to being regulated by the data protection authority across the bloc’s 27 Member States, which would become competent to oversee its business.

In practice, that means any EU data protection authority would be able to act directly on concerns it has that local users’ data is at risk — with the power to instigate their own investigations and take enforcement actions. So Ireland’s more business-friendly regulator would no longer be leading the handling of any GDPR concerns about Twitter; probes could be simultaneously opened up all over the EU — including in Member States like France and Germany where data protection authorities have a reputation for being quicker to the punch (and/or more aggressive) in responding to complaints compared to Ireland.

If Twitter loses its ability to claim main establishment in Ireland, it would therefore drastically amp up the complexity, cost and risk of achieving GDPR compliance. [...]

On the GDPR side, if Twitter gets exposed to decentralized oversight across the EU by falling out of the OSS, it could lead to major headaches as it could be hit with multiple GDPR fines by watchdogs all over the region — each of up to 4% of its annual turnover. So a pipeline of such fines could quickly start to add up for Twitter. [...]

Timeline