14 Jun 2020
Twatter GDPR Revisited
“A Pyrrhic Victory”
twatgdprfollowup00
Image credit: funsubstance.com

This post is a follow-up to my hit single Twitter Laughs in the Face of GDPR Regulation. If you don’t know what this is all about, you can go there for the full background story. But here’s a brief summary:

[If you’ve already read the previous episode, you can Skip to the new stuff]

The Story So Far

  • In January 2020, our hapless hero logged into Twatter to find that all his accounts [four to be precise] had unexpectedly been suspended, for no apparent reason.
  • When Twatter suspends an account they don’t allow the user to; close the account, download the account data or change what personal information is displayed on the account. All in clear breach of GDPR regulations.
  • Twatter also displays a notice on suspended accounts saying the account has broken one of their 'rules' and links to a page listing these rules, which primarily consists of banning; child abuse, hate speech, supporting terrorism, threats’n’violence…​ etc. So, while not [as far as I can see] another GDPR violation, nonetheless an outrageous slur on the the suspended user’s good character.
  • Yours truly made several attempts to contact Twatter by email between January and mid-February, to ask for the accounts to be unsuspended but received nothing in response but tumbleweed and the occasional Copy/Paste reply.
  • Having got no reply from Twatter, our hero twice lodged a complaint with the UK Information Commissioner’s Office, in February 2020. As of time of writing this follow-up there has been no response whatsoever from the UK ICO —not even an acknowledgement of receipt of the complaints.

[Must be great to work for an organisation, where the public purse pays you to sit on your arse all day!]

  • With the UK ICO having revealed itself to be as uncommunicative as Twatter, whatsisface turned to the Irish Data Protection Commission instead, given that Twatter’s European HQ is based in Ireland. A complaint was lodged with them on 18th March 2020.

And that’s where we left it at the end of the previous chapter…​

twatgdprfollowup02
Image credit: marion-hill.com

The New Stuff

At first impression, the Irish DPC seemed to be a lot more useful than the moribund UK ICO. For one, they actually bothered to respond [within 2 days]:

From : DPC Info <info@dataprotection.ie+ Date Sent On 19/03/2020
Subject Acknowledgement of your e-mail to the Data Protection Commission C-20-3-528

To Whom It May Concern,

I acknowledge receipt of your e-mail to the Data Protection Commission.

In line with our Customer Service Charter we aim to reply within 15 working days. In doing so, we will communicate clearly, providing you with relevant information or an update regarding your correspondence.

If your email is in relation to an existing case, we will be in contact with you at our earliest opportunity.

Yours sincerely,

Data Protection Commission

That looked a bit more promising.

However, on 23 April, I got the following from the Irish DPC [my highlighting]:

2020-04-23 16:01, info@dataprotection.ie wrote:

Dear Mr. Matulevicz,

I write further to your concerns in relation to Twitter which you submitted to the Data Protection Commission (DPC) on 18 March 2020. This matter has been referenced as C-20-3-528. Please quote this reference on all correspondence to the DPC in relation to this matter.

I note that you wish to regain access to your account in order to access your personal data. The DPC cannot assist Twitter users regaining access to their social media accounts. However, we can progress your concerns in relation to your request to access a copy of your personal data. In order for the DPC to progress this matter please confirm the following:

  1. Your desired resolution in this matter.

In your case, as you do not reside in Ireland and you may wish to lodge your complaint directly with the DPC and not with your local data protection authority (the Information Commissioner’s Office - in the UK where you are residing), in practice this would mean that, in circumstances where your complaint is rejected or dismissed by the DPC, any appeal made by you in respect of your complaint would be against the DPC via the Irish courts (and not against your local data protection authority via your national courts).

The DPC has requested additional information from you to progress this matter. Should this information not be received within one month of the date of this email I will proceed to close our file in this matter.

Yours sincerely, Deirdre A. Glennon Higher Executive Officer

I’d pointed out in my original DPC complaint that I COULD log in to my Twatter accounts but wasn’t permitted to…​. etc…​ etc [refer to list above]

But, as ever, the secret with these things is actually getting people to read what you wrote to them, instead of glancing at the subject line and composing their reply based on that. So, back to the old drawing typing board and a quick 'RTFM' response, pointing out that I’d already told them I had access to the Twatter accounts. But I was being denied the right to download my data and/or close the accounts:

Subject: Re: Your concern re Twitter C-20-3-528
To: info@dataprotection.ie
Date: Fri, 1 May 2020 09:53:13 +0100

Hi.

Thanks for getting in touch.

I note that you wish to regain access to your account in order to access your personal data. The DPC cannot assist Twitter users regaining access to their social media accounts.

This is not strictly correct. As stated in my original complaint and illustrated with accompanying screengrabs, I am still able to access and login to my Twitter account, so I do not need any assistance with accessing the account.

However, whilst logged into my account, I am not permitted to download my personal data and Twitter does not provide any other means for a person to request their personal data other than by downloading it from within their account:

https://help.twitter.com/en/managing-your-account/accessing-your-twitter-data

My desired resolution is to be given access to my personal data. The method by which Twitter provides this–whether that be via my account page itself or by having it emailed to me directly–is immaterial.

Thanks,

stíobhart matulevicz.

Another couple of weeks went by and then, on 12th May, I got the following. They had at least read my email this time, although I’d apparently been 'transgendered' in the meantime:

Date: Tue, 12 May 2020 15:50:14 +0100
From: <info@dataprotection.ie>
Subject: RE: C -20-3-528

Dear Ms. Matulevicz,

I acknowledge your email to this office 01 May 2020.

Thank you for providing clarity with respect to you data protection issue. That is, while you can access your account, you are unable to download a copy of your personal data due to the account being suspended.

Please note that under Article 77.1 of the General Data Protection Regulation (“GDPR”), “the data subject considers that the processing of personal data relating to him or her infringes this regulation”. As such, should you wish to engage directly with the Data Protection Commission regarding the concern you have about Twitter, you may do so.

However, If you are affected by a “legally binding decision” of the DPC, you may within 28 days from the date on which you received notice of such a decision from the DPC, appeal against that decision to either the Circuit Court or the High Court. In your case, as you do not reside in the Republic of Ireland and you may wish to lodge your complaint directly with the DPC and not with your local data protection authority (the Information Commissioner’s Office "the ICO" in the UK where you are currently residing), in practice this would mean that, in circumstances where your complaint is rejected or dismissed by the DPC, any appeal made by you in respect of your complaint would be against the DPC via the Irish courts (and not against your local data protection authority via your national courts).

A cooperation mechanism, the One-Stop-Shop (the OSS), was established as part of the GDPR, affording data subjects the opportunity to make data protection complaints to their preferred Data Protection Authority (DPA). If said DPA is deemed to not be the 'competent' authority, they can engage with the competent supervisory authority in the EEA with regard to any action they take with respect to that complaint.

As such, in the first instance you may wish to raise the concern with your local Data Protection Authority (the ICO in this instance, in the UK where you are residing), who may then engage with us (the DPC) on your behalf. Alternatively, you may wish to continue to engage with the DPC directly, bearing in mind the implications of that decision with respect to your right of appeal.

Please confirm to this office your preferred course of action.

Please note that if we do not hear further from you in this regard within one month of today’s date, we will presume that you no longer wish to pursue this concern and will proceed to close our file in this matter.

Yours sincerely,

Luke C. Noonan Executive Officer

The Irish DPC were certainly proving to be a bit more communicative than their UK counterparts but I was starting to detect an element of "So, let me just check this. You say XXX and you want us to do YYY? Is that it? I just want to make sure!". about their replies. A premonition that was to be borne out as the communication progressed.

I wrote back to them again on 13th May:

Subject: Re: C -20-3-528
To: info@dataprotection.ie
Date: Wed, 13 May 2020 20:03:09 +0100

Hi.

Yes. I would like the DPC to continue to pursue this on my behalf.

Thanks,

stíobhart matulevicz

Fourteenth May and 'another day, another reply' from the DPC. This time a brief email attaching a formula legalese letter, in which they effectively say "We’ll take on the job". So, finally, after much 'Are you sure?'-ing, we seemed to be getting somewhere:

Date: Thu, 14 May 2020 10:58:53 +0100
From: <info@dataprotection.ie>
Subject: RE: C -20-3-528

Dear Ms. Matulevicz,

I acknowledge your email to this office 13 May 2020.

By way of update, please find the attached letter for your attention (acknowledgement of your complaint regarding Twitter International Company).

(See attached file: Letter From The DPC 14-05-2020.pdf)

Yours sincerely,

Luke C. Noonan Executive Officer

And here’s a copy of the attached letter, if you’re interested.

Now, I’m afraid things get a bit murky here.

I’m pretty sure I received a further email [if not more than one!] from the DPC after this one which, once again, seemed to be along the lines of "Right! So we’re all agreed. We’re going to do this thing, are we?" and inviting me to reply to them –yet again!, to confirm I really, really wanted to go ahead with it. But, unfortunately, I don’t seem to have kept that email because I can’t find it.

twatgdprfollowup03
Irish DPC Operating System screengrab

To be honest, by this stage I’d lost interest in the whole thing. I’d been locked out of Twatter for nearly six months and, after the initial annoyance at the injustice of it all, I’d found that I didn’t really give a shit.

Whenever I stumble across something from Twatter nowadays [which, unfortunately, is fairly often, given that it seems to substitute for "primary research" on most news sites these days] I feel like I’ve opened the door a crack onto a pub full of raucous, screeching brain-dead fuckwitts. And I can’t wait to slam it shut again and run away.

What a collossal barrage of inanity it is!

So I never bothered responding to this last [and unfortunately lost] email from the DPC, having decided to just let the matter lie. And there, dear friends, the story should have ended…​


…​Except that, on 10th June and completely out of the blue, I received two emails from Twatter themselves; one sent to my @stiobhart account email and one to my @madranet one:

Date: Wed, 10 Jun 2020 18:37:49 +0000 (GMT)
From: DPO Support <dpo@twitter.com>
Subject: Case# 0159188543: Restoring accounts @madranet and @stiobhart ref:00DA0K0A8.5004A1x4dDG:ref]

Hello,

We’re writing to let you know that we’ve unsuspended your accounts. We’re sorry for the inconvenience and hope to see you back on Twitter soon.

A little background: we have systems that find and remove multiple automated spam accounts in bulk, and yours was flagged as spam by mistake. Please note that it may take an hour or so for your follower and following numbers to return to normal.

If you need to get in touch with us again, please file a report through your Twitter app or our forms page, as this account isn’t monitored for replies.

Additionally, please note that your Twitter data is available directly via your Twitter account, as explained in the following Help Center Page: https://support.twitter.com/articles/20172679

Best, Twitter

So there you have it. Six months later, after; suspending all my accounts with [as they themselves now admit] no justfication whatsoever, breaking every GDPR regulation going and insinuating I’d been up to some pretty disgusting criminal activity, a brief "Sorry for the inconvenience…​" and "…​hope to see you back on Twitter soon".

Well, thank you for the generous invitation, Twatter. But I regret my reply must perforce remain:

twatgdprfollowup01
Image credit: anywhere memes roam free

Oh. And not that it matters now, but that "flagged as spam…​" bollocks is complete bullshit. None of the accounts ever @-ed anyone apart from as a direct message to one or two people, or in reply to someone who’d messaged me. For fuck’s sake!—one of the accounts didn’t even follow anyone and had never @-ed anyone, ever. So how could it possibly be spamming?

Just FOAD, Twatter!

Back to Top