Twitter’s lead privacy regulator in the European Union is being kept very busy indeed by Elon Musk’s erratic piloting of the bird site.
Following a report by Platformer, which suggests Musk is planning to force users to accept personalized advertising unless they pay for a subscription service that will include an opt-out for ads, the Irish Data Protection Commission (DPC) told us it is reviewing the matter.
This adds to a growing pile of data protection concerns piling up on its desk — let’s call these the real ‘Twitter Files’ — such as Musk providing access to Twitter systems to non-staff reporters (um, security and privacy anyone?); the status of Twitter’s main establishment in Ireland (and, therefore, the streamlined situation it currently enjoys with the DPC leading oversight of its compliance with the EU’s General Data Protection Regulation, aka the GDPR); and whether Twitter has adequate compliance staff and appropriate resources to deal with all the inbound enquiries from regulators and users (such as requests for deletion of data) since Musk took an axe to halve company headcount, to name a small portion of the regulatory chaos he’s kicked up in very short order.
Under the GDPR Twitter needs a valid legal basis to process personal data, such as tracking and profiling users to target them with ads.
Consent is one of the legal bases that can be possible under the GDPR — but you can’t force users to consent; consent must be freely given if it’s to meet the legal bar. Ergo, forcing users to pay up or else be tracked and targeted looks unlikely to pass muster with EU regulators.
Another legal bases permitted in the GDPR is contractual necessity. And it’s worth noting that this is the legal basis currently claimed by Facebook-owner Meta for the ‘personalized’ ads it forces on users of its social networking services.
However in a blow to Musk’s ambitions to follow Zuck and force microtargeted ads into Europeans eyeballs whether they like it or not (or else, in Musk’s case, force Europeans to pay him not to profile them for ad targeting), the European Data Protection Board recently issued a decision on a long running complaint against Meta’s controversial choice of legal basis — which, per press reports, appears to rule out using a claim of performance of a contract to run behavioral advertising.
There is also legitimate interest (LI) — another legal basis that exists in the GDPR. But, again, it’s a sad trombone for Musk on this front as TikTok was forced to abort a planned switch of legal basis for its personalized ads, from consent to LI, this summer — after warnings from Italy’s DPA that this would not be legit.
The DPC also stepped in to ‘engage’ with TikTok on the matter — in its capacity as TikTok’s lead supervisor for GDPR. But it’s not just the GDPR that’s likely to apply here if Twitter similarly tries to force tracking ads on users in Europe: The EU’s ePrivacy Directive, which governs online tracking, also likely comes into play — and, as Italy’s DPA warned TikTok a few months ago, you can’t do tracking without asking for consent. Ergo LI won’t fly for Twitter tracking ads.
Additionally, and unhappily for Musk — who is famously not a fan of regulators — the ePrivacy Directive does not have a one-stop-shop mechanism streamlining regulatory oversight (and oftentimes shrinking risk) via a lead DPA, as is the case with the GDPR. So if he tries to force tracking ads on EU users he’s opening the company up to enforcement by privacy watchdogs across the bloc, from Italy to France, and on through as many of the 27 EU Member States that have DPAs with an appetite for enforcement.
France’s privacy watchdog, the CNIL, has been very active on enforcing ePrivacy against tech giants in recent years — fining Google $120 million two years ago for dropping tracking cookies without consent, for instance, and hitting the adtech giant a second time with a further $170 million penalty this January over cookie consent dark patterns. It has also spanked Amazon and Facebook with multimillion dollar penalties for ePrivacy breaches over the same time frame. So there’s little reason to think the French would turn a blind eye to a swashbuckling Muskian forced-tracking-ads adventure.
It’s worth noting there are examples in some EU Member States (notably Germany) of certain news media websites putting up paywalls that offer users a choice between subscribing to view their content (i.e. journalism) or getting free access to it but with the stipulation that they agree to be tracked as the ‘price’ for this freebie.
Their approach remains controversial with data protection law experts and may not survive legal challenges. But, in the meanwhile, it doesn’t necessarily offer much succour to Musk’s ambitions to force ads on unwilling Europeans, either, since there is a clear difference between pay-or-be-tracked-gating of journalism (i.e. profession content that the paywalling company is paying to produce) vs pay-or-be-tracked-gating of user generated content which Musk is getting for free for some crazy reason, even as he yells at Twitter users to pay him ~$8pm or else.
So a pay-me-or-else paywall in the microblogging platform case doesn’t look like it would be smooth sailing either.
So what penalties might Musk face if he goes ahead and tries to force ads on European users?
Under the GDPR, penalties can scale up to 4% of global annual turnover — so, on paper, the cost of breaking the law can certainly get expensive (though Twitter has escaped major sanction to date). But GDPR penalties against tech giants have been getting bigger in recent years (even if the bill may take years to arrive). And flagrant/wilful breaches typically invite bigger fines than one-off incidents like a security slip up.
ePrivacy also allows EU regulators to levy dissuasive sanctions for breaches — and these can, demonstrably, exceed a hundred million dollars apiece (i.e. from a single regulator), so costs could stack up quickly here too if multiple watchdogs wade in.
ePrivacy enforcement is also not slowed down by a one-stop-shop mechanism funnelling cross-border complaints through a single lead regulator (as happens with the GDPR). So fines could arrive in fairly short order if Musk pushes ahead with forced tracking despite the lack of a legal path for such processing.
Both privacy laws also enable EU regulators to issue corrective orders against infringing practices. And failure to comply with such orders invites — you guessed it! — further sanction. So if Musk refuses to correct course he is walking into an ongoing world of costly regulatory pain in Europe.
He has more regulatory trouble brewing in the region, too.
Looming on the horizon is application of the EU’s new Digital Services Act (DSA), the bloc’s rebooted Internet rulebook, which concerns itself with content governance issues, so how platforms tackle problems like terrorism, hate speech, disinformation etc. Here again Musk’s ‘free the bird’ approach has quickly thrown regulatory expectations into a spin that has led (already) to closer scrutiny by EU lawmakers than would likely have occurred without the Tesla CEO at the helm of Twitter.
The European Commission itself will oversee larger platforms’ compliance with the DSA, rather than national authorities. And just last month it warned Twitter over the need to have adequate resourcing for compliance in place — saying it would carry out a stress test of its approach at its Dublin HQ early next year. So it’s already putting Twitter on DSA watch.
It remains to be seen whether or not the Commission will classify Twitter as a so-called VLOP — meaning it would take on the burden of regulating Musk’s erratic rule itself. But he is essentially inviting that increased level of EU scrutiny (and regulatory risk) by playing so fast and loose with existing governance and compliance structures. Ergo, Twitter’s DSA compliance being regulated by the Commission looks rather more possible than it probably should, based on an assessment of the platform’s size alone. And that’s all down to Musk’s hard work ripping up existing governance structures and driving out compliance expertise.
Penalties under the DSA can scale up to 6% of global annual turnover. The regulation also contains powers for regulators to ban infringing services if they repeatedly fail to correct governance — so if Musk keeps on trolling the region’s regulators a complete loss of Twitter’s EU revenue cannot be entirely ruled out… Buckle up!