Twitter faces investigation by privacy watchdog over user tracking

Twitter reportedly refused access to researcher Michael Veale on the data it holds about him - AFP

Ireland’s Data Protection Commission has launched an investigation into Twitter after it refused a request inquiring into its collection of location data from users.

The social media company is alleged to have turned down the request from Michael Veale, a technology policy researcher at University College London, who was seeking information about the data Twitter collects about him from shortened Twitter links.

When users tweet a link to a web address on the platform, Twitter applies its own technology to shorten the URL into a t.co format.

Mr Veale believes the company could be collecting information such as timestamps and the devices being used. It could be possible to figure out a person’s location with this data. Ireland’s privacy watchdog received the complaint in August.

Twitter’s circumvention of Mr Veale’s request to access information could count as a violation of the European Union’s General Data Protection Regulation - a new privacy framework that came into effect in May.

Under the EU GDPR rules, requests can be submitted to companies about the personal data they hold on individuals like Mr Veale. He has asked Twitter for all the personal data it retains about him, but the company claimed it would require “disproportionate effort” to collect the data.

Twitter says it uses the t.co domain to allow the sharing of long URLs without exceeding the 280 character limit of a tweet, to measure information such as how many times a link has been clicked and “as a quality signal for surfacing relevant, interesting tweets.”

It is also part of the company’s service to protect users from malicious sites, with the URL-shortening application used to assess the link against a list of potentially dangerous web pages.

In a statement, a spokesman for Ireland’s Data Protection Commission said: "I can confirm that following receipt of a complaint, the Data Protection Commission last week opened a statutory investigation to determine whether or not any provisions of the GDPR or the Data Protection Act 2018 have been contravened by Twitter.”

The investigation is ongoing. Under GDPR rules, maximum fines for serious violations can amount to €20m or 4pc of annual global turnover.

Twitter’s potential breach of GDPR is unlikely to trigger a maximum fine, given that this is the first investigation it has faced about its adherence to the data privacy rules.