Following a flurry of resignations of senior Twitter privacy and security staffers late last week, the social media firm has informed its lead data protection regulator in the European Union that it has appointed an “acting” replacement for one of those positions: The key role of data protection officer (DPO).
The abrupt departures of Twitter’s CISO Lea Kissner; chief privacy officer (and DPO) Damien Kieran; and chief compliance officer Marianne Fogarty immediately raised questions over its ability to meet regulatory requirements under new, norm-trashing broom, Elon Musk — who only completed his $44 billion takeover at the end of last month.
A company that’s processing personal data at the scale Twitter does is obliged, under the European Union’s General Data Protection Regulation (GDPR), to at least have a DPO — at a bare minimum.
Twitter also has a 2011 consent decree with the FTC that requires it to submit regular reports on how it’s living up to ongoing commitments to safeguard user data — so the sudden departure of senior privacy and security staffers immediately set alarm bells ringing. Including at the Irish Data Protection Commission (DPC), Twitter’s lead data supervisor for the EU’s GDPR.
A meeting between the DPC and Twitter followed hard on the heels of the trio of resignations — arranged last week and taking place yesterday — and at this meeting the DPC said Twitter informed it that it has appointed an existing employee, Renato Monteiro, as its “acting DPO”.
Monteiro has been employed at Twitter for two years nine months, per his LinkedIn profile — starting in Match 2020 in São Paulo, Brazil, as a Data Protection Counsel Lead for Latin America, before relocating to Twitter Ireland this summer to take up a role as director for international privacy and data protection lead — managing privacy and data protection teams in Europe, the Middle East and Africa, North and South America and APAC.
It is not clear why Monteiro has only been named “acting” DPO — or whether his appointment is intended only as a stop-gap while a full replacement is sought, or not.
Since Musk took over Twitter, the company has stopped responding to press enquiries so it is not possible to obtain confirmation via an official channel. But Musk appears to have a penchant for appointing ‘acting’ rather than actual job titles, as well as for playing with absurd job titles (such as initially christening himself “chief twit“, after he fired and took over from the actual CEO; followed by Musk becoming “Twitter complaint hotline operator“, seemingly as a commentary on users responding negatively to his early product decisions and other changes).
One question that’s likely to arise, therefore, is whether Monteiro is being invested with the full responsibilities and duties required by the DPO role under GDPR — and, if not, whether an ‘acting’ framing will pass muster with EU regulators or not.
At the time of writing the DPC had not responded to our question on this point. But we’ll update this report if we get a response.
Last week, the Irish regulator told us that in addition to using Monday’s meeting with Twitter to seek information from it about the DPO situation it planned to discuss a wider concern — to ask whether the business is still claiming its main establishment (for GDPR purposes) in Ireland.
This structure is important because it enables Twitter to participate in the GDPR’s one-stop-shop (OSS) mechanism — which sets up the DPC as its lead data supervisor for EU data protection issues and means complaints made elsewhere in the bloc are typically funnelled via Ireland — allowing the US-based company to streamline its GDPR compliance and shrink regulatory risk.
However, given all the drastic changes accompanying Musk’s takeover of Twitter — including, reportedly, standard privacy and security review processes being dispensed with — doubts are being cast over whether Twitter can still credibly claim main establishment in Ireland, as we reported yesterday.
The DPC’s deputy commissioner Graham Doyle declined to provide an update on its questioning of Twitter’s main establishment status following yesterday’s meeting — saying only: “We continue to engage with Twitter.”
Other EU data protection agencies are likely to be watching developments on this front exceedingly closely.
A spokesperson for France’s CNIL told ZebethMedia it will be approaching the DPC to discuss the nature and “possible consequences” of changes reported to have taken place at Twitter since Musk took over.
Although the regulator also told us that, at present, it does not have “sufficient information” to question the application of the OSS.
“Until now, the evidence available to the supervisory authorities has led them to consider that Twitter’s principal place of business in the EU was in Ireland, which made the DPC the lead authority. The CNIL intends to approach the DPC to discuss about the nature and possible consequences that the changes mentioned in the press are likely to have on the role and status of Twitter’s Irish establishment,” the CNIL’s spokesperson said.
“At this stage, the CNIL does not have sufficient information to consider that the application of the one-stop shop system is in question.”