DPC investigating Twitter over alleged short-link data collection

15 Oct 2018199 Views

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Twitter logo. Image: victoreus/Depositphotos

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

The Irish Data Protection Commission is investigating Twitter over alleged user tracking.

Twitter is being probed by the Irish Data Protection Commission (DPC) over its refusal to provide a user with data about how he is tracked when he clicks on links in tweets.

As was first reported by Fortune, Twitter’s use of its own link-shortening service, t.co, is the crux of the investigation. The platform uses the service to measure how many clicks a link receives and it also helps to curb the spread of malware through bad links.

Privacy researcher wants answers

A privacy researcher at University College London, Michael Veale, believes that Twitter gets more information when people click on the t.co-shortened links and it may be using them to track users online using cookies.

Under GDPR, Veale asked Twitter to provide him with all of the personal data it had collected when he clicked on links in other people’s tweets, but it refused to relinquish it.

Veale then complained to the Irish DPC, helmed by Helen Dixon. On Thursday last (11 October), the DPC told Veale in a letter that it was commencing an investigation. “The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”

According to the letter, Veale’s complaint will be handled by the new European Data Protection Board as it involves “cross-border processing”.

Twitter says it was not obliged to hand over data

Twitter said it would not hand over the data as GDPR allowed it to decline on the grounds of “disproportionate effort” but Veale said this exemption cannot be used to limit access requests from users. The company has said it is “actively engaged” with the DPC.

Veale believes the company was definitely recording the times at which users clicked on the t.co short links and added that it was technically possible for the company to determine a user’s rough location. The platform’s privacy policy says advertisers might collect IP addresses when people click on their links.

Twitter logo. Image: victoreus/Shutterstock

Ellen Tannam is a writer covering all manner of business and tech subjects

editorial@siliconrepublic.com