Privacy regulators in Ireland have started an investigation on the data Twitter collects from its URL-, or link shortening system, called t.co .
How and where did it all start?
A privacy researcher named Michael Veale – who works at University College London – asked Twitter to provide more information about the data it collects when users use its URL-shortening system. The company, however, refused to give information to the UK professor, who in turn called for quick investigative action by European privacy authorities.
The investigation request was made under the General Data Protection Regulation (GDPR), which gives EU citizens right to request any data collected on them from any company. GDPR is a comprehensive European privacy law that protects the privacy of European users and aims to give the individuals control over their data.
Under the law, business processes that manage personal data must be built and designed in such a way that they follow the principles and use the best-possible privacy settings by default, as well as provide safeguards to protect data. Additionally, data should not be available publicly without informed, explicit consent and no personal information should be processed unless it is done with a lawful basis.
Privacy researcher Veale suspected that the company gets more than the requisite information when users click on t.co links. According to Twitter, it applies its own link-shortening service (t.co) to links when users put them into tweets. This allows the company to measure the number of times a link has been clicked and helps the platform fight the spread of harmful viruses through unreliable links.
The Irish Data Protection Commission initiates a formal statutory inquiry into the link shortening
When the researcher received a negative response, he complained to the Irish DPC (Data Protection Commission), which promptly started an investigation. Veale complained in Ireland because the European operations of the company are headquartered in Dublin.
The Commission said in a letter to Veale, “The DPC has initiated a formal statutory inquiry in respect of your complaint. The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”
The letter further said that the new European Data Protection Board will handle the complaint as the complaint involves cross-border processing. This is the first GDPR investigation opened against Twitter. Veale, who has made a similar request for investigation against Facebook, said Twitter was recording the times the users clicked on links and the kind of devices users were using.