Featured Article

Is Elon Musk’s Twitter about to fall out of the GDPR’s one-stop shop?

Next stop: Regulatory hell?


Elon Musk with dollar signs in his eyes, twitter logo pattern in the background
Image Credits: Bryce Durbin / TechCrunch

Helmed by erratic new owner Elon Musk, Twitter is no longer fulfilling key obligations required for it to claim Ireland as its so-called main establishment under the European Union’s General Data Protection Regulation (GDPR), a source familiar with the matter has told TechCrunch.

Our source, who is well placed, requested and was granted anonymity owing to the sensitivity of the issue — which could have major ramifications for Twitter and for Musk.

Like many major tech firms with customers across the European Union, Twitter currently avails itself of a mechanism in the GDPR known as the one-stop shop (OSS). This is beneficial because it allows the company to streamline regulatory administration by being able to engage exclusively with a lead data supervisor in the EU Member State where it is “main established” (in Twitter’s case, Ireland), rather than having to accept inbound from data protection authorities across the bloc.

However, under Musk’s chaotic reign — which has already seen a fast and deep downsizing of Twitter’s headcount, kicking off with layoffs of 50% of staff earlier this month — questions are being asked over whether its main establishment status in Ireland for the GDPR still holds or not.

The resignation late last week of key senior personnel responsible for ensuring security and privacy compliance looks like a canary in the coal mine when it comes to Twitter’s regulatory situation — with CISO Lea Kissner, chief privacy officer Damien Kieran, and chief compliance officer Marianne Fogarty all walking out the door en masse.

It’s not clear whether any adequately qualified individuals will be willing to step into these critical compliance roles for privacy and security at Twitter given the current Musk-driven craziness — since anyone signing up for that level of responsibility risks opening themselves up to personal liability should regulatory requirements be breached on their watch.

As we reported Friday, Musk’s attorney and now head of legal at Twitter, Alex Spiro — who has reportedly been given a key role in the overhaul of the platform — emailing all staff on behalf of “Elon” to claim they face no personal liability will surely sound alarm bells for regulators over Twitter’s direction of travel.

Last week, The Verge also reported on turmoil inside Twitter’s privacy and security function as standard review procedures were dispensed with and engineers were asked to “self-certify” compliance with FTC rules. Its report also cited an unnamed company lawyer who it said had Slacked employees to warn them that changes to how Twitter operates is piling personal, professional and legal risk onto engineers instructed to implement Musk’s will regardless of consequences.

Under the EU’s GDPR, meanwhile, Twitter is obliged — in just one very basic requirement — to have a data protection officer (DPO) to provide a contact point for regulators.

Hence the departure of Kieran, its first and only DPO since the role was created at the company in 2018, has not gone unnoticed by its data protection watchdog in Ireland — as we also reported Friday. But the Irish Data Protection Commission (DPC)’s concerns are already spiraling wider than Twitter’s compliance with notifications about core personnel: Last week, the authority — currently Twitter’s lead EU DPA under the GDPR’s OSS — put the social media firm on watch by signaling public concern when it said it would be putting questions to the company about the status of its main establishment in Ireland at a meeting scheduled for early this week, to discuss all the recent privacy changes since the Musk takeover.

Twitter has not commented publicly on the DPC’s warning nor on the departures of senior regulator-facing staffers. Indeed, since Musk took over, its communications department appears to have been dismantled and the company no longer responds to press requests for comment — so it was not possible to obtain an official statement from Twitter about these departures or on the substance of our report. (We’re happy to add a response if Twitter or Musk wants to send us one.)

Twitter’s lead EU watchdog for data protection has fresh questions for Musk

For Twitter’s business itself, there are a number of potential consequences in play if its ability to meet regulatory requirements falls.

If the DPC assesses (or is informed by Musk) that it no longer has its main establishment in Ireland, the company will crash out of the OSS — opening it up to being regulated by the data protection authority across the bloc’s 27 Member States, which would become competent to oversee its business.

In practice, that means any EU data protection authority would be able to act directly on concerns it has that local users’ data is at risk — with the power to instigate their own investigations and take enforcement actions. So Ireland’s more business-friendly regulator would no longer be leading the handling of any GDPR concerns about Twitter; probes could be simultaneously opened up all over the EU — including in Member States like France and Germany where data protection authorities have a reputation for being quicker to the punch (and/or more aggressive) in responding to complaints compared to Ireland.

If Twitter loses its ability to claim main establishment in Ireland, it would therefore drastically amp up the complexity, cost and risk of achieving GDPR compliance. (Reminder: Penalties under the regulation can scale up to 4% of annual global turnover — so these are not rules a normal CEO would ignore.)

The GDPR does not set out specific criteria for assessing main establishment. But, in Twitter’s case — in order for it to be able to fulfill the regulation’s requirement of “effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements” actually taking place locally, in Ireland, despite Twitter product development being led out of the U.S. — we understand that the company devised a careful legal framework that was designed to empower an Irish entity to be the data controller for EU users by ensuring that this Ireland-located Twitter company, which has its own board of directors subject to Irish law, has oversight of and influence on U.S.-led product development.

The structure Twitter was relying upon to participate in the GDPR’s OSS includes a system of mandatory privacy and security reviews for new products — to enable the Irish entity to insert its feedback and exert influence over product development.

Under this framework, the board of the Irish company was able to raise concerns about planned new features ahead of launch, with input then fed back to U.S. product development teams to be incorporated into products before launch — thereby, assuming the protocol was correctly followed, empowering a local decision-making capacity inside the EU.

However, per our source, the situation at Twitter since Musk took over is that no information is being provided about what products are being worked on in the U.S. to the Irish entity’s management — nor is the Irish entity’s management able to provide any input into any product Musk is working on since it is not being kept apprised of what’s being developed.

Products in development at Twitter are not even being submitted into review pipelines anymore, much less getting reviews before being shipped, according to our source, who told us the system has essentially stopped operating.

“Solving for the OSS is going to be a nightmare because that was already a complicated dance for Twitter’s old management — because it was a situation where you had two employees, effectively, who were lower down the pecking order of the company, the directors of the Irish entity, who are directing the US entity what to do,” this person said, adding: “But in a world where Elon is sole king, dictator, everything, you want some employees based in Dublin to try and give feedback to this guy? Who? That’s never going to work.”

Our source’s account of abandoned review processes aligns with the Verge‘s reporting of normal security and privacy reviews being thrown into turmoil on Musk taking over.

Its report cites an employee who told us the revamped Blue subscription disregarded the normal review process — with a “red team” only reviewing potential risks the night before launch, meaning they were not provided with enough notice or time to be able to conduct a comprehensive check, plus, in any case, none of their recommendations were implemented prior to the product’s relaunch.

The function of the product review pipeline where Twitter’s reliance on the OSS and GDPR is concerned, is more specific: It’s to act as a conduit for information to flow between U.S.-based Twitter’s product development teams, critical privacy and security review teams and staffers, and the Irish oversight entity — to enable a crucial decision-making capability to exist in the EU that meets a regulatory bar. So if the Irish entity is no longer in the loop on product decisions, it’s difficult to see how Twitter can credibly continue to participate in the OSS.

We understand that the Irish entity has two remaining board members — both of whom are located in Ireland. The board requires a minimum of two board members to be located in Ireland, under Irish law, in order to have a quorum. (The Irish entity previously had a third board member — who was located in the U.S. — but that person appears to have left Twitter last month.)

As far as we are aware, the two remaining Irish entity board members are still employed by Twitter (for now) — but our source’s view is that the situation is already untenable, given the board is being cut out of decision-making as Musk overrides the established oversight system for product review (and — seemingly — ignores and/or is unaware of the regulatory requirements it was designed to meet).

The system Twitter devised to avail itself of the GDPR’s OSS is known to its Irish regulator — which holds detailed documentation on its structure and is supposed to be kept informed of how it’s functioning on an ongoing basis, such as by receiving minutes of board meetings. So it should not take long for any failure of established essential processes to become obvious to the DPC.

We reached out to the DPC for a response to our source’s account of how the OSS is already broken — but at press time we had not been able to reach our contact at the regulator.

If Twitter seeks to claim that it remains compliant with the OSS requirement of a main establishment in the EU — in spite of glaring personnel and process gaps and Musk’s very public and cavalier approach to rapidly iterating product development (which has already missed glaringly obvious risks like paid verification leading to a wave of impersonation) — it will be up to the DPC to make an assessment of whether the OSS still stands or not.

That said, other EU watchful DPAs may not sit on their hands waiting in the meanwhile. Under the GDPR, all these bodies have powers to make emergency interventions in certain circumstances that lets them derogate from the OSS — such as if they feel there is a pressing risk to local users’ data. So we could see other DPAs reaching for Article 66 powers and implementing their own urgency procedures against Twitter in their own markets.

The information coming out of Twitter currently (either unofficially, via media leaks, or via Musk’s cryptic tweets) paints a picture of a drastic rewriting (or tearing up) of how product decisions and development is being done — with the Tesla and SpaceX CEO at the center of decision-making and remaining staffers scrambling to keep up with his mercurial/ridiculous demands.

As well as mass sackings, Musk’s chaotic first days at Twitter have featured a flurry of radical yet obviously ill-thought-through product changes and rapid-fire launches — followed by equally erratic revisions, U-turns and product suspensions as obvious problems zoomed into view.

This has included the aforementioned bizarre reworking of an existing Twitter subscription product (Twitter Blue), which added the ability for users to pay to receive a blue checkmark the platform had previously applied only to high-profile and other notable accounts to act as a verification and authenticity signal (not a revenue driver) — but without Twitter performing any verification check of these paying customers’ identities at all.

Impersonation chaos immediately ensued — as did more chaos: An “official” badge/second gray checkmark was rushed out by certain staff at Twitter, seemingly in a bid to reapply a layer of critical verification to key accounts, yet got killed almost immediately by Musk with little public explanation.

By Friday, the platform appeared to have paused the Blue subscription after widespread abuse of the paid verification feature — although Musk also tweeted that it would “probably” return by the end of this week.

In recent days, Musk has also tweeted to suggest a raft of other incoming changes — such as stipulating mandatory parody disclosures (apparently in a bid to limit abuse of paid verifications) — and touting another feature coming “soon” that he said will involve Twitter enabling “organizations to identify which other Twitter accounts are actually associated with them” (whatever that means).

One Twitter staffer — apparently elevated to help implement Musk’s radical rethink of Twitter Blue — recently tweeted that “there are no sacred cows in product at Twitter anymore.”

Musk’s take on the new modus operandi was blunter: He tweeted last week that Twitter “will do lots of dumb things in the coming months” — and “keep what works & change what doesn’t.”

If that’s not a red rag encouraging a regulatory clamp down, nothing is…

It’s anyone’s guess what’s actually going on with Twitter product development. But that’s not just a problem for confused Twitter users (and advertisers) trying to understand how the platform is changing and what it might mean for the quality of the information being surfaced; it’s also a growing nightmare for Twitter — exactly because the company has legal obligations to keep regulators informed.

If it fails to do that, it’ll be compliance cost and risk spiraling out of control — with the potential for a total car crash scenario smashing the business (per the internal lawyer’s note to Twitter employees obtained by the Verge last week, an FTC penalty for Twitter breaching the consent order could run into the billions of dollars) and smashing any remaining staff who are exposed to personal liability (such as those agreeing to work in ways that run counter to the terms of the FTC consent decree).

(In a separate example, the former head of security at Uber was recently found guilty of criminal obstruction — and could face jail time — after a federal jury in San Francisco found he had obstructed justice and concealed knowledge after he sought to hide information about a 2016 data breach at Uber from the public and the Federal Trade Commission, which had been investigating the incident — and, in that case, Uber did not already have an FTC consent decree in place, unlike Twitter.)

On the GDPR side, if Twitter gets exposed to decentralized oversight across the EU by falling out of the OSS, it could lead to major headaches as it could be hit with multiple GDPR fines by watchdogs all over the region — each of up to 4% of its annual turnover. So a pipeline of such fines could quickly start to add up for Twitter (which Musk has already claimed could face bankruptcy).

On top of that, the administrative drain for Twitter’s business of having to deal with multiple EU regulators would scale the cost and complexity of GDPR compliance, swaddling what is a shrinking (and already creaking) resource in reams of additional red tape — in a way that could tip the platform further over the edge into total business breakdown.

Alarm bells should thus be blaring very loudly indeed that Twitter’s new owner appears too spaced out to understand — or care — about maintaining critical structures that exist to ensure the business can operate in a way that’s, up til now, kept regulators at a watchful distance, avoiding a whole world of regulatory pain falling on and crushing the life out of the bird.

Twitter chief information security officer Lea Kissner departs

Who’ll get the last laugh over Musk toying with Twitter’s veracity?

More TechCrunch

The company says it’s refocusing and prioritizing fewer initiatives that will have the biggest impact on customers and add value to the business.

SeekOut, a recruiting startup last valued at $1.2 billion, lays off 30% of its workforce

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender Solo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

OpenAI is removing one of the voices used by ChatGPT after users found that it sounded similar to Scarlett Johansson, the company announced on Monday. The voice, called Sky, is…

OpenAI to remove ChatGPT’s Scarlett Johansson-like voice

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

1 day ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises