In parallel with the FTC’s ominous warning to Elon Musk’s Twitter yesterday — that ‘no CEO or company is above the law‘ — the microblogging platform’s lead regulator in the European Union is on its case in the wake of senior staffers in charge of security and privacy compliance walking out the door.
Graham Doyle, a deputy commissioner at Ireland’s Data Protection Commission (DPC), which currently leads oversight of Twitter under the EU’s General data Protection Regulation (GDPR), told TechCrunch it’s in contact with the company following media reports yesterday that its data protection officer (DPO) had resigned.
A meeting between the DPC and Twitter will take place early next week, according to Doyle. He also confirmed to us that Twitter had not informed the regulator of the DPO’s departure prior to the media reports.
Getting clarity over the DPO situation will be top of the meeting agenda, per Doyle.
But he said the regulator now has another concern it wants to discuss with Twitter — regarding whether Twitter’s main establishment, for GDPR purposes, is still located in Ireland…
Next stop: One-stop-shop stopped?
“One of the issues that we want to discuss is the issue around main establishment,” Doyle told TechCrunch. “They’re obliged to have a data protection officer in place and provide us with the details but equally, under the [GDPR] one-stop-shop (OSS) mechanism in order to get a main establishment to engage with one regulator, the decision making processes — in terms of the processing of EU data — needs to take place in that country. That’s one of the principles of main establishment. And what we want to establish is that that is continuing to be the case for Twitter.”
Ireland being Twitter’s lead regulator for the GDPR under the OSS is important because it puts the Irish watchdog in the driving seat when it comes to opening inquiries (or not), or otherwise acting on concerns over Twitter’s compliance (such as following up on the un-notified resignation of its DPO now). From Twitter’s point of view, the arrangement is advantageous because it streamlines compliance since it only needs to liaise with one (lead) regulator over any issues, rather than handling inbound from multiple data protection agencies (potentially in different languages).
Ireland has a lead supervisor role for Twitter because the company was able to notify its Dublin office as its “main establishment” in the EU — what the regulation refers to as either the place of “central administration in the Union” or “where the main processing activities take place in the Union”.
However were Twitter to be deemed to no longer have this processing base in Ireland there would be an immediate regulatory reconfiguration and data protection authorities across the bloc, from any of the EU’s 27 Member States, could instigate inquiries or act on local complaints themselves — cranking up the regulatory complexity, velocity and risk for Twitter’s European business.
With Musk slashing 50% of Twitter’s headcount globally just last week — and a reported “carnage” in the Irish office, per an Irish Times report which said more than 50% of local staff were affected — questions have arisen in Dublin over the stability of its main establishment status for the GDPR.
“We’ve made contact with Twitter.. And for us one of the issues we want to discuss with them is the issue of main establishment — is there any change? With the announcement of the departures — including the DPO — is there any plans to change the decision making process that’s in place that allows them to avail of the main establishment,” Doyle reiterated.
Reports that all was not well up at the senior echelons of Twitter’s security and privacy function spilled out onto Twitter yesterday afternoon.
Platformer journalists, Casey Newton and Zoë Schiffer, reported that Twitter’s CISO, chief privacy officer and chief compliance officer has all resigned — citing messages shared in Twitter Slack which they had obtained.
Soon afterwards, the Washington Post’s Cat Zakrzewski tweeted that the Irish DPC was “seeking more information” from Twitter.
Twitter CISO Lea Kissner later confirmed her departure in a tweet — as did Damien Kieran, Twitter’s now ex chief privacy officer. While Marianne Fogarty, Twitter’s (reportedly ex) chief compliance officer, tweeted what may be an indirect confirmation too late yesterday — writing: “Therapy Thursdays have taken on new meaning of late. #LoveTwitter”.
Enquiries to Twitter’s press line have gone unanswered since Musk took over so it’s not been possible to obtain an official line on what’s going on.
The company’s communications department appears to have been a major casualty of the 50% headcount reduction Musk swiftly applied on taking over — with press staffers either entirely or almost entirely laid off.
It also not clear how many of Twitter’s staff in Ireland were laid off last week. There is no obligation on the company to report overall layoffs numbers to the DPC. Nor is the criteria a regulator should use for assessing main establishment clear as it is not stipulated in the GDPR itself — but rather left up to regulators to determine. (On determining main establishment, the regulation states: “The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements” — further stipulating that “criterion should not depend on whether the processing of personal data is carried out at that location” nor should “the presence and use of technical means and technologies for processing personal data or processing activities” be a determining criteria. So it’s rather more definitive on what isn’t necessary to declare main establishment than what is, giving regulators some leeway in any assessments they make on this.)
Asked about assessing main establishment, Doyle said the status depends on the decision making facility for the processing of EU data being located in the country — though he said that does not necessarily mean the DPO must themselves be based locally. (The now ex Twitter DPO Kieran appears to have been based in San Francisco, per his LinkedIn profile.)
“The key thing for us is that we’re notified, we know who the DPO is, we have the contact details and [the DPO is] contactable at any time that we need to contact him or her. By law they don’t geographically have to be in a specific place,” he also told us. “We do have to know who they are and have all the details. But the key piece is that decision-making piece — in order to avail of main establishment — must be happening in the country where you are main established.”
“If that does change — and the decision making is not happening here in Ireland — all supervisory authorities are competent to regulate them,” Doyle added.
Whether Musk is capable of understanding what’s at stake for Twitter here is a moot point. With so many of Twitter’s core compliance staff now out the door — and an inner circle of techbros and yes-men surrounding the billionaire and cheering his trolling on — that looks highly questionable.
Musk also has a history of trolling regulators so it’s not inconceivable he’s intensely relaxed about ignoring implications for Twitter’s legal compliance — which would (or should) crank up the DPC’s concerns, making a loss of main establishment status more likely. After which Rubicon crossing, Musk having kept giggling all the way from ‘fucking around’ to ‘finding out’, he’d arrive at a regulatory ground zero for data protection in the EU — in which any DPA across the bloc that judges there’s a risk to the information of Twitter users in their country would be empowered to go after his company directly. So, basically, regulatory free-for-all vs carefully cultivated lead supervisor.
(For an example of the difference this can make, see France’s CNIL getting an early GDPR fine slapped on Google in 2019 — before the latter claimed main establishment in Ireland and re-routed cross-border concerns via Ireland, putting the breaks on GDPR enforcement as the velocity of regulatory oversight got squeezed into the OSS bottleneck; still with no more major GDPR fines for Google since CNIL’s.)
DPO or GTFO
When it comes to the DPO issue, Twitter’s problem is smaller but it could still be a ‘tip of the iceberg’ type issue.
It will certainly need to appoint a replacement for Kieran — at least while its service remains available to users in the region. Under the GDPR, entities processing certain types of data (and/or processing personal data at enough scale, as Twitter does) are duty bound to appoint a data protection officer (DPO) — who must be an independent expert and provided with adequate resources to do the job — hence his departure by resignation (along with multiple senior compliance colleagues) signals a problem.
The DPO role is to act as a contact point for regulators (such as the DPC) — as well as to advise and assist in monitoring internal compliance with data protection obligations, such as by providing guidance for compiling Data Protection Impact Assessments (DPIAs). Expertise and independence are required for the role. (So — no — Musk can’t just appoint himself or one of his idiot stooges ‘Chief DPO’ and expect this problem to go away.)
Compliance is also of course an ongoing requirement — so this problem is a neverending journey, not a destination. At a bare minimum, Twitter needs to be communicating with regulators to inform them of key changes and — under Musk — it’s not even doing that.
Product development under Musk also looks like a compliance nightmare. His chaotic version of Twitter Blue was obviously going to cause problems of impersonation — which flared up immediately it launched. And thoughtlessly rushing out products that could pose informational risks to hundreds of millions of users runs directly counter to the spirit and intent of European data protection regulation.
Given the rapid pace of launch of Musk’s revamped Twitter Blue subscription product it’s difficult to see how — for example — a DPIA could have been properly undertaken to assess risks ahead of launch — which may partly explain the resignation of Kieran and other senior compliance folks, if they felt they were simply unable to carry out their jobs.
What adequately qualified person would knowingly agree to take on such a role in these conditions is another big question. Anyone qualified enough to be Twitter’s DPO may quickly conclude it’s not possible to do the job — not under the current Chief Twit, at least.
And, as noted above, if Musk tries to troll regulators by making a joke appointment that will just invite more scrutiny and further undermine Twitter’s relationship with oversight bodies, amping up its regulatory risk. (As well as the DPC, the FTC and the European Commission have pressing reasons to be keeping tabs on what Musk is doing at Twitter.)
Penalties for non compliance with the GDPR can scale up to 4% of global annual turnover for the most egregious breaches (so not insubstantial at the theoretical maximum). Although fines for failing to properly appoint a DPO (or notify a departure) would not — typically — fall into that headline category.
Food delivery app Glovo was fined €25k by Spain’s DPA for failing to appoint a DPO back in 2020, for example, while the Belgian DPA issued a €50k fine to an undisclosed entity the same year for appointing a head of compliance, audit and risk as a DPO — after it found it created a conflict of interest.
Twitter’s only GDPR fine to date, meanwhile, was a $550k penalty — issued back in December 2020 — for failing to promptly declare and properly document a data breach. So pretty small beer.
However, Twitter under Musk is clearly a very different animal. And in such a drastically changed context all bets are off about how regulators are going to respond.