18 Mar 2020
Twitter Laughs in the Face of GDPR Regulation
“...and seems to get away with it!”
Image credit: funsubstance.com
Image credit: funsubstance.com

One morning at the beginning of January, I opened my @stiobhart Twitter account as usual for a quick peruse of what was happening in 'The Inconsequentialverse' and was surprised to see an alert popping up which said "Your account is suspended and not permitted to perform this action". As the only "action" I was 'performing' was clicking on the various 'News', 'Trending' etc, tabs to see what was going on in the world, I thought it was just one of those glitches in the matrix.

Helpful Twatter message
Helpful Twatter message
And this one, after I tried an experimental Tweet
And this one, after I tried an experimental Tweet

Then I logged out and logged into the @madranet Twatter account that I use for my so-called business and found the same thing happening. "Wot the Fuck?!"…​ I thought handsomely and logged out of that account and into a third one which I use regularly; that of Glengormley’s favourite son, newsreader Padric O’Plaque. Same story there. Starting to think that someone at Twatter had it in for me, I checked out another couple of Twatter accounts which I’ve not used for ages and found that every single one of them was either marked as 'Suspended' or 'Locked'.

Now I know this is going to sound like that old cliché whereby everyone in prison claims they are innocent and shouldn’t be there. But I really can’t see any reason whatsoever why any of the accounts should have been suspended --never mind a justification for completely blanket banning me entirely from Twatter.

@stiobhart --I use almost exclusively for showing off my artwork. 99% of my posts are artwork with the other 1% comprising usually sardonic comment and I only really interact with other artists on Twatter, discussing & commenting on each other’s art, etc.

@madranet -As I said, is my business account where I post pictures of my latest Tshirt designs with links where to buy them. I don’t @ anyone or spam anyone with those tweets. I just put them out there.

@padoplaq -Is a satirical account for an invented character I created ages ago, who thinks he’s an important celebrity but is really a complete loser who no-one’s ever heard of [You might uncharitably call him a 'Kwik-Save Alan Partridge' although I invented my guy first --I just never did anything with him]. O’Plaque comments on news issues of the day such as elections etc, but mostly from the point of view of making the character himself look ridiculous. No threatening, messaging, defaming, etc other people.

One of the other accounts which I also found locked was @NastyGrammar, an account that’s devoted entirely to posting pictures and screengrabs of grammatical howlers from newspaper headlines and websites. So, again, no question at all of infringing on any of Twatters acceptable content policies.

Over the following few days, I got in touch with Twatter on 2 or 3 separate occasions, via a webform on their site provided for such purposes, asking them to unsuspend my accounts. But I might as well have farted into a black hole and listened for the echo because, as with all these huge US megacorps, Twatter’s support department is staffed entirely by chimpanzees trained only to use the copy & paste functions on their keyboards.

This is the standard response I've received to every message I've ever sent to Twatter's support dept.
This is the standard response I've received to every message I've ever sent to Twatter's support dept.

By the time mid-January rolled around, all my accounts were still suspended and I’d still had no response from 'Simian Support Inc.' apart from that same autoreply, multiple times. I’d also had to try and explain what was going on, to a couple of online buddies who’d contacted me asking why I’d been 'banned from Twatter' [Spoiler alert: I have no fucking idea!]

So I thought [this time, with a sardonic sneer]; "Fuck Twatter and the horse it rode in on. I’m going to download my drivel and take it elsewhere!"

So, on 14th January, I logged into one of the accounts again and tried to download my account data. But, when I attempted to do so, the site displayed that ol' familiar error again:

Not allowed to download my data? Isn't that a blatant GDPR violation?
Not allowed to download my data? Isn't that a blatant GDPR violation?

Enough was enough. It was time to threaten to set the EU on Twatter’s fat corporate arses. So I sent them a formal GDPR Data Access request via email:

Formal GDPR Data Access Request. Sent 14th Jan 2020
Formal GDPR Data Access Request. Sent 14th Jan 2020

Well, I’m sure there are as yet undiscovered tribes in the depths of the Amazonian rainforest, who can guess the response that email received. If you need a clue, think bananas and keyboards with very few buttons fitted.

Standard issue US Megacorporation support department keyboard
Standard issue US Megacorporation support department keyboard

Now, under GDPR regulations; the data controller [ie. Twatter] has thirty days from receipt of a GDPR Data Access Request from a customer [ie. wee me] to respond to the request either by providing access to the data or explaining why it cannot yet be provided. Therefore Twatter had until 14th February 2020 to respond to my request.

So, while we pretend we’re waiting for those 30 days to elapse, let’s play a fun game of "Count the GDPR Violations". Pull up your favourite 'https://www.thefreedictionary.com/barrack-room+lawyer[Barrack Room Lawyer]' chair, make yourself comfortable and we’ll begin. For convenience sake, I’m visually referencing the simplified GDPR checklist rather than the full legislative document:

Ready? Fingers on buzzers? Let’s go. Don’t forget to buzz in, when you spot a GDPR violation…​

Image credit: lisavandyke.wordpress.com
Image credit: lisavandyke.wordpress.com

Round One: GDPR states that customers have the right to 'request and receive' all the information an organisation has about them:

Not allowed to view my data? Bzzzt! --GDPR violation, number one!
Not allowed to view my data? Bzzzt! --GDPR violation, number one!

Round Two: GDPR states that customers have the right to 'receive a copy of their data .. in a format that can be easily transferred…​' in other words, allowed to download their data:

Not allowed download my data? Bzzzt! --GDPR violation, number two!
Not allowed download my data? Bzzzt! --GDPR violation, number two!

Now let’s just take a short break here while I furnish you with some more info.

While logged into my Twatter account, I thought I’d try out a few other account related activities. To my complete lack of surprise, I was prevented [with the by now familiar "Your account is suspended and not permitted to perform this action"] error, when I tried to do any of the following:

  • Remove my photograph from my account profile.

  • Change the display name of the account [so it was not personally identifiable].

  • Close the account.

  • Change the email address associated with the account

So, armed with that additional info, let’s get on with the quiz:

Round Three: GDPR states that customers have the right to 'update inaccurate.. information'. For example, change the email address associated with their account. This I was also prevented from doing.

Not allowed change or update my data? Bzzzt! --GDPR violation, number three!
Not allowed change or update my data? Bzzzt! --GDPR violation, number three!

Round Four: GDPR states that customers have the right to 'request to have their personal info deleted'

Not allowed delete my account? Bzzzt! --GDPR violation, number four!
Not allowed delete my account? Bzzzt! --GDPR violation, number four!

Well, my law degree may have come from the Barrack Room and I may not be able to count past ten without taking my shoes and socks off, but I make that an impressive FOUR! blatant breaches of GDPR violations on the old GDPR-Violation-O-Tron scoreboard.

Now, Twatter’s support staff may be entirely staffed with banana-sucking keyboard mashers but, given the size of the company and the size of the pile of cash they’re sitting on, you’ve got to assume they have a pretty astute legal department. So, I think it’s also fairly safe to assume that they’re aware of EU GDPR regulations. Therefore, as Twatter make it a point of policy to violate their EU based users' GDPR rights, I can only draw the conclusion that they’re doing so deliberately, because they think EU law doesn’t apply to them. I wonder how many accounts are suspended, banned or otherwise limited in this way at any one time? It must run into the thousands, if not tens of thousands or even hundreds of thousands --a significant proportion of which must belong to users based in Europe. So the grand total of individual GDPR violations on the GDPR-Violation-O-Tron scoreboard might conceivably run into the millions!

But wait --there’s more!

When Twatter suspends a user’s account, they replace that user’s profile with a message saying the account has been suspended and stating that 'Twitter suspends accounts which violate the Twitter rules'.

This is what the rest of the world sees, when visiting a suspended account's Twatter page
This is what the rest of the world sees, when visiting a suspended account's Twatter page

Now, it could be argued that that, legally speaking, that isn’t a direct statement that the account in question has broken Twatter’s rules, but it’s about as strong an insinuation in that direction as; standing beside someone, pointing at them while holding your nose and making wafting motions with your other hand --whenever there’s a farty smell in the air.

So, let’s take a wee peek at these Twatter Rules then:

=== Safety

Violence: You may not threaten violence against an individual or a group of people. We also prohibit the glorification of violence. Learn more about our violent threat and glorification of violence policies.

Terrorism/violent extremism: You may not threaten or promote terrorism or violent extremism. Learn more.

Child sexual exploitation: We have zero tolerance for child sexual exploitation on Twitter. Learn more.

Abuse/harassment: You may not engage in the targeted harassment of someone, or incite other people to do so. This includes wishing or hoping that someone experiences physical harm. Learn more.

Hateful conduct: You may not promote violence against, threaten, or harass other people on the basis of race, ethnicity, national origin, caste, sexual orientation, gender, gender identity, religious affiliation, age, disability, or serious disease. Learn more.

Suicide or self-harm: You may not promote or encourage suicide or self-harm. Learn more.

<snip>

So, not only do Twatter deny you four different forms of access to your data, when they suspend your account --a clear violation of GDPR. They also replace your profile page with an uncontestable message, stating to the world that you have violated their rules. This is tantamount to publicly denouncing you as an violent extremist, terrorist supporter, sexual exploiter of children, abuser, or hate-peddler with [and I think this is worth re-emphasising] No way for you to contest that information, alter it, or have it removed. It’s not often my wee brain is boggled but I’m astounded that Twatter think this kind of behaviour is legal and allowed and even more astonished that no-one has dragged them up about it before.

Anyway, while you were enjoying that interlude, 29 days elapsed from my initial GDPR Data Access request to Twatter, with nowt but that autoreply and tumbleweed in response. It was now 13th February and one day short of the deadline for Twatter to respond. Just to cover all the bases, but not in any expectation of a reply, I decided to send them a reminder on their official support@twitter.com email address:

Reminder email. Sent on 13th Feb 2020
Reminder email. Sent on 13th Feb 2020

This time Twatter’s response was different. But don’t get too excited. Instead of their customary autoreply, I got…​

…​a different autoreply!

Autoreply to my reminder. Must be a new monkey on the keyboard
Autoreply to my reminder. Must be a new monkey on the keyboard

Not content with ignoring everything you submit to them via their web-forms, the support email address which Twatter provide on their website isn’t even monitored. In other words they’re actually providing you with an official email address to contact them on, but telling you they won’t bother to read it, if you do.

The phrase 'Taking the fucking piss' most definitely springs to mind!

Anyway, by now I’d well passed the point where I wanted anything to do with Twatter in any capacity. So, 'Crusader for Justice' that I am, I decided to file an official complaint with the UK Information Commissioner’s Office. This I did on 15th February 2020. A move that I suspect may have been a complete waste of time as, at the time of writing this post, over a month later, I still haven’t received anything at all in the way of a response from them.

Official complaint lodged with UK Information Commissioner's Office on 15th February 2020
Official complaint lodged with UK Information Commissioner's Office on 15th February 2020

I don’t know whether this is because the ICO is just another toothless watchdog, or if they are now effectively defunct post-Brexit, or if they’ve outsourced their support work to the same zoo as Twatter. But, in the face of this wall of indifference and after consulting Michael Veale, a prominent digital rights activist, I decided to refile my GDPR complaint with the Irish Data Protection Commission instead, given that Twatter’s European HQ is based in Ireland.

That I’ve done today [18th March 2020]:

Official complaint lodged with Irish Data Protection Commission on 18th March 2020
Official complaint lodged with Irish Data Protection Commission on 18th March 2020

So now I am once again at the thumb-twiddling stage; waiting to see what, if any, action the Irish Data Protection Commission will take in my case. Let’s hope they show a bit more interest than their UK counterparts have done.

One interesting thing I did find on my trek through the relevant legislation, is that the fines for GDPR violations can be pretty huge --especially for a company as big as Twatter. And, given that individual EU countries and the EU itself has, in the not too distant past, slapped Apple and Facebook with fines totalling many millions of Euros, I’m hoping against hope that some day I see Twatter getting a similar financial kick in the bollocks --even if it’s not as a direct result of my complaint.

Are you reading this, Twatter?
Are you reading this, Twatter?

Watch this spot. Updates as and when there are any developments.

Scroll to Top