- Jan 21, 2018
Helmed by erratic new owner Elon Musk, Twitter is no longer fulfilling key obligations required to claim Ireland as its "main establishment" under the European Union's General Data Protection Regulation (GDPR), TechCrunch has been told.
Our source, who is well placed, requested and was granted anonymity owing to the sensitivity of the issue — which could have major ramifications for Twitter and for Musk.
Like many major tech firms with customers across the European Union, Twitter currently avails itself of a mechanism in the GDPR known as the one-stop shop (OSS). This is beneficial because it allows the company to streamline regulatory administration by being able to engage exclusively with a lead data supervisor in the EU Member State where it is “main established” (in Twitter’s case, Ireland), rather than having to accept inbound from data protection authorities across the bloc.
However, under Musk’s chaotic reign — which has already seen a fast and deep downsizing of Twitter’s headcount, kicking off with layoffs of 50% of staff earlier this month — questions are being asked over whether its main establishment status in Ireland for the GDPR still holds or not.
The resignation late last week of key senior personnel responsible for ensuring security and privacy compliance looks like a canary in the coal mine when it comes to Twitter’s regulatory situation — with CISO Lea Kissner, chief privacy officer Damien Kieran, and chief compliance officer Marianne Fogarty all walking out the door en masse...."
The French data protection authority, the Commission nationale de l'informatique et des libertés (CNIL), has announced that it would impose a fine of 800,000 euros ($830,888) against Discord, Inc., for violations of the European Union's General Data Protection Regulation (GDPR) following an inves...
According to the CNIL press release, Discord is a "voice over IP (technology that allows users to chat via their microphone and/or webcam over the Internet) and instant messaging service, in which users can create servers, text, voice and video channels."
The decision highlights that Discord did not have a written data retention policy, which allowed for the accumulation within the Discord database of over 2.4 million accounts of French users who had not used their accounts for more than three years and 58,000 accounts that had gone unused for more than five years. The CNIL noted, however, that Discord subsequently complied with the GDPR's retention obligation "since it now has a written policy for the retention of data, which provides in particular for the deletion of accounts after two years of user inactivity."
Discord was also found to have been in breach of the obligation to inform users concerning the storage periods, but it has since complied with that obligation as well. In addition, Discord was found to have breached the obligation to guarantee data protection by default, the obligation to ensure security of personal data, and the obligation to carry out a data protection assessment, but Discord has since taken steps to remedy those GDPR violations.
The fine was decided based on the breaches identified, the number of people concerned, and the efforts made by the company to comply throughout the investigation.