Twitter is investigated by the Irish Data Protection Commission (DPC) after a complaint made by privacy researcher Michael Veale from University College London in August because his request for link tracking information was refused, as reported by Fortune.
Under EU's General Data Protection Regulation (GDPR), users of online services have the right to ask for details on how data collected while they're active on the site is being used, as well as for a full copy of all data collected.
Twitter refused to comply with Veale's legitimate request saying that this would take a disproportionate amount of effort, which is one of the exemptions allowed by GDPR.
However, the researcher disagrees accusing the social network of misinterpreting the EU regulations' text which does not allow such exceptions to be used to limit access requests to data.
According to Veale, Twitter is allegedly collecting more data than it should when users click on links shortened with their in-house t.co URL shortener, well beyond the declared scope of recording the number of clicks on each link and stopping malware spread on the platform.
Twitter can get a €20 million fine if DPC's investigation concludes that they did not comply with EU's data protection regulation
“The DPC has initiated a formal statutory inquiry in respect of your complaint,” the Irish data protection authority told Veale. “The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”
According to EU's GDPR non-compliance penalties, companies which are found to breach the regulations can get fines of up to €20 million ($23.2 million) or as large as 4% of their global annual revenue, depending on which is higher.
Seeing that Twitter’s 2017 revenues were around $2.4 billion, a possible GDPR fine might get them maximum €20 million.