Irish Twitter Probe Seen as Test Case for EU Privacy Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Sara Merken

An Irish probe into Twitter Inc.'s data disclosure practices may set the bar for what type of personal data U.S. companies must turn over to consumers under the EU’s privacy regime.

The Ireland Data Protection Commission is investigating a Twitter user’s complaint that the social media giant refused to give him a list of hyperlinks he had clicked while on the platform. Twitter claims it’s exempt from a portion of the request by Michael Veale, a privacy and technology researcher at University College London, because it would take a “disproportionate effort” to produce, according to correspondence that Veale provided to Bloomberg Law.

The Irish authority is investigating because Twitter’s European headquarters is in Dublin, as are those of Facebook Inc. and Alphabet Inc.'s Google. The outcome of the probe could help set the terms for how companies under the EU’s General Data Protection Regulation must interpret consumers’ data access rights.

Businesses and other EU data protection authorities could look to the ruling for guidance to determine whether requests for detailed reports such as Veale’s are exempt. A decision for Veale could cost companies time and money to provide users with information.

“Cases such as this one are extremely important as they provide useful guidance to other companies on how they should deal with access requests as well as provide information to data subjects on how their personal data will be used,” said Maureen Daly, head of Dublin, Ireland-based law firm Beauchamps’ data protection and freedom of information group, told Bloomberg Law via email.

Under the GDPR, a company doesn’t have to comply with some provisions if it would take a “disproportionate effort.” Veale claims the exemption doesn’t apply to data access rights.

Veale complained to the Irish Data Protection Commission, disputing the disproportionate effort claim, and argued the provision Twitter cites of the GDPR isn’t relevant to his claim. The agency has opened a formal statutory inquiry into his complaint.

Twitter is “facilitating and engaging” with the Irish regulator, company spokesman Ian Plunkett said. Plunkett declined to comment directly on Veale’s allegations.

Clarity Needed

Veale said Twitter met his request for other personal information, such as a list of his contacts and direct messages. But it drew the line at his request for time stamps and meta-data from links he clicked on through Twitter’s “t.co” link shortening service and other hyperlinks.

Twitter has said it uses the link service to measure how many times a link is clicked and protect users from malicious sites.

The critical issue in the case is large tech companies with web tracking infrastructure “believing they are able to omit this data from access requests.” Veale told Bloomberg Law. He said clarity on access rights is “sorely needed.”

The European Data Protection Board will likely take up Veale’s complaint as well because the issue involves cross-border data processing, the Irish agency said in an Oct. 11 letter to Veale that he shared with Bloomberg Law.

A spokesperson for the agency told Bloomberg Law the agency doesn’t comment on ongoing inquiries.

“The outcome of the inquiry could have far-reaching implications for organizations that process personal data, particularly in the tech sector,” James Castro-Edwards, London-based partner and head of data protection at Wedlake Bell LLP, told Bloomberg Law by email.

Request Bloomberg Law: Privacy & Data Security