Twitter app displayed on smartphone showing Irish DPC issue with GDPR one stop shop rule

Could “The New Twitter” Run Into Issues With GDPR One Stop Shop Rule? Irish DPC Source Indicates Staffing Situation May Be a Problem

Elon Musk’s takeover of Twitter has come with sweeping changes to the company’s structure, not the least of which was mass layoffs and resignations that greatly reduced its staff in a very short period of time. Speaking on condition of anonymity, an Irish DPC source told the media that Twitter could now be facing GDPR issues due to the loss of certain key personnel based in the region.

The core of the controversy is the GDPR “one stop shop” rule, which allows foreign tech companies that maintain headquarters in the region to keep a lead data supervisor in the EU member state as a point of contact that interfaces with (and is governed by) one particular Data Protection Authority (DPA). Some in the Irish DPC apparently feel that this now vacant role will be tough to fill given the individual responsibility the party would have to accept for data breaches.

Prospect of GDPR trouble raised over Twitter staffing situation

The role of global chief privacy officer (CPO) at Twitter was previously filled by Damien Kieran, who resigned in early November amidst a wave of senior executives leaving the company. The role has yet to be filled, and it is unclear when it will be.

Twitter might fall afoul of the GDPR’s one stop shop terms without a CPO/DPO in place, as Kieran was considered the point of contact for that purpose in the EU. Losing its Ireland “main establishment” status (Twitter maintains an office for this purpose in Dublin) would subject the company to GDPR regulation by all of the EU’s bloc member states. Being regulated by the Irish DPC is generally seen as favorable by tech firms as it has developed a reputation both for being slow to review cases and to push for generous penalty terms for the businesses that call Dublin home in the EU. Losing that status means that any national DPA in the EU could bring direct action against Twitter on behalf of its citizens without the standard collaborative process that ultimately funnels everything through the Irish DPC.

This is not a clear-cut decision based on the lack of a CPO, however. The GDPR does not have a clear process in place for determining main establishment status, so a simple lack of a particular point person is not immediately disqualifying. Twitter’s Ireland branch reportedly has its own management structure specifically crafted to meet this requirement. However, this structure hinges on a local board in Ireland reviewing planned new features and changes to the product before implementation. TechCrunch is reporting that the Irish management has not been sent any new information since Musk took over.

The GDPR regulations do require local management of this sort to have at least two board members, a bar which Twitter now barely clears (a prior third member appears to have left the company in October). It is unclear how the Irish DPC will judge the situation, but the most likely outcome at this point is that it will review Twitter’s product feedback pipeline to determine if the Irish board members are still being adequately informed and are also having their feedback received at the US end.

This is still an issue that funnels through the Irish DPC at this point, but the bloc’s other DPAs have some ability to intervene should they choose to invoke the GDPR’s Article 66 clause (allowing them to take direct regulatory action against a company if they feel there is an imminent risk to users in their country). Some, such as France, have already shown a willingness to invoke this power when the Irish DPC appears to be bottlenecking the process.

All of this may end up being academic, however, if Twitter decides it is simply going to ignore EU regulations. There is some sign that this is what Musk intends in the long term, as Twitter has reportedly just shuttered its Brussels office, a smaller outpost that was opened to deal with various aspects of European regulation other than the GDPR. Were Twitter to pull up stakes entirely on a physical presence in the EU, the bloc would have little option for leverage over the platform but the “nuclear option” of banning it from doing business there entirely.

Next step for Twitter in EU is Irish DPC review

It is difficult to guess what Twitter’s position on all of this is, as the company has virtually dismantled its communications department in recent weeks and is not replying to any requests for comment. The next news that comes on the issue may be when the Irish DPC makes a determination.

Twitter could potentially head off this immediate GDPR trouble with the appointment of a new CPO, who does not necessarily have to be based in Ireland. That is easier said than done, however, given that there does not appear to be a long line of candidates and that the position essentially comes with unknowable personal risk at this point.

The seeming chaos of the Musk era of Twitter has naturally inspired concern about the future of the platform, with no small amount of predictions of imminent doom. Tom Kellermann, Senior VP of cyber strategy at Contrast Security, thinks that the platform’s immediate fortunes will hinge on cybersecurity rather than regulatory concerns: “The massive reduction in the labor force and the recent resignations by C-level cybersecurity and privacy executives  will create a vacuum. Lack of investment in cybersecurity and content moderation will allow for cyberspies and cartels to launch targeted cyberattacks from the platform. Confusion over security policies and new management of the platform will be used by attackers to drop payloads and attacks, not just disinformation.”