Twitter’s lead EU watchdog for data protection has fresh questions for Musk • ZebethMedia
In parallel with the FTC’s ominous warning to Elon Musk’s Twitter yesterday — that ‘no CEO or company is above the law‘ — the microblogging platform’s lead regulator in the European Union is on its case in the wake of senior staffers in charge of security and privacy compliance walking out the door. Graham Doyle, a deputy commissioner at Ireland’s Data Protection Commission (DPC), which currently leads oversight of Twitter under the EU’s General data Protection Regulation (GDPR), told ZebethMedia it’s in contact with the company following media reports yesterday that its data protection officer (DPO) had resigned. A meeting between the DPC and Twitter will take place early next week, according to Doyle. He also confirmed to us that Twitter had not informed the regulator of the DPO’s departure prior to the media reports. Getting clarity over the DPO situation will be top of the meeting agenda, per Doyle. But he said the regulator now has another concern it wants to discuss with Twitter — regarding whether Twitter’s main establishment, for GDPR purposes, is still located in Ireland… Next stop: One-stop-shop stopped? “One of the issues that we want to discuss is the issue around main establishment,” Doyle told ZebethMedia. “They’re obliged to have a data protection officer in place and provide us with the details but equally, under the [GDPR] one-stop-shop (OSS) mechanism in order to get a main establishment to engage with one regulator, the decision making processes — in terms of the processing of EU data — needs to take place in that country. That’s one of the principles of main establishment. And what we want to establish is that that is continuing to be the case for Twitter.” Ireland being Twitter’s lead regulator for the GDPR under the OSS is important because it puts the Irish watchdog in the driving seat when it comes to opening inquiries (or not), or otherwise acting on concerns over Twitter’s compliance (such as following up on the un-notified resignation of its DPO now). From Twitter’s point of view, the arrangement is advantageous because it streamlines compliance since it only needs to liaise with one (lead) regulator over any issues, rather than handling inbound from multiple data protection agencies (potentially in different languages). Ireland has a lead supervisor role for Twitter because the company was able to notify its Dublin office as its “main establishment” in the EU — what the regulation refers to as either the place of “central administration in the Union” or “where the main processing activities take place in the Union”. However were Twitter to be deemed to no longer have this processing base in Ireland there would be an immediate regulatory reconfiguration and data protection authorities across the bloc, from any of the EU’s 27 Member States, could instigate inquiries or act on local complaints themselves — cranking up the regulatory complexity, velocity and risk for Twitter’s European business. With Musk slashing 50% of Twitter’s headcount globally just last week — and a reported “carnage” in the Irish office, per an Irish Times report which said more than 50% of local staff were affected — questions have arisen in Dublin over the stability of its main establishment status for the GDPR. “We’ve made contact with Twitter.. And for us one of the issues we want to discuss with them is the issue of main establishment — is there any change? With the announcement of the departures — including the DPO — is there any plans to change the decision making process that’s in place that allows them to avail of the main establishment,” Doyle reiterated. Reports that all was not well up at the senior echelons of Twitter’s security and privacy function spilled out onto Twitter yesterday afternoon. Platformer journalists, Casey Newton and Zoë Schiffer, reported that Twitter’s CISO, chief privacy officer and chief compliance officer has all resigned — citing messages shared in Twitter Slack which they had obtained. Soon afterwards, the Washington Post’s Cat Zakrzewski tweeted that the Irish DPC was “seeking more information” from Twitter. According to messages shared in Twitter Slack, Twitter’s CISO, chief privacy office, and chief compliance officer all resigned last night. An employee says it will be up to engineers to “self-certify compliance with FTC requirements and other laws.” — Casey Newton (@CaseyNewton) November 10, 2022 NEW: A senior member of Twitter’s legal team just posted this message in Slack:“Everyone should know that our CISO, Chief Privacy Officer and Chief Compliance Officer ALL resigned last night. This news will be buried in the return-to-office drama. I believe that is intentional.” — Zoë Schiffer (@ZoeSchiffer) November 10, 2022 Twitter CISO Lea Kissner later confirmed her departure in a tweet — as did Damien Kieran, Twitter’s now ex chief privacy officer. While Marianne Fogarty, Twitter’s (reportedly ex) chief compliance officer, tweeted what may be an indirect confirmation too late yesterday — writing: “Therapy Thursdays have taken on new meaning of late. #LoveTwitter”. Enquiries to Twitter’s press line have gone unanswered since Musk took over so it’s not been possible to obtain an official line on what’s going on. The company’s communications department appears to have been a major casualty of the 50% headcount reduction Musk swiftly applied on taking over — with press staffers either entirely or almost entirely laid off. It also not clear how many of Twitter’s staff in Ireland were laid off last week. There is no obligation on the company to report overall layoffs numbers to the DPC. Nor is the criteria a regulator should use for assessing main establishment clear as it is not stipulated in the GDPR itself — but rather left up to regulators to determine. (On determining main establishment, the regulation states: “The main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements” — further stipulating that “criterion should not
