The Cnil is interested in recent revelations targeting Twitter and its management of personal data

The Cnil is interested in recent revelations targeting Twitter and its management of personal data


Directly cited in recent revelations concerning Twitter, the Cnil will closely scrutinize the practices of the social network in terms of personal data protection. The authority could bring down the GDPR hammer.

The controversies are linked for Twitter. Entangled in its lawsuit against Elon Musk, the social network has to deal with another very unflattering news: the revelations of its former cybersecurity chief concerning the company’s questionable practices in the management of personal data.

The CNIL is taking a close interest in the case

Accused in bulk of poorly protecting user data, of having lied to the authorities about data leaks, of having provided critical information to the Indian government or of not knowing how to manage a simple account deletion, Twitter is in good shape. bad posture after the remarkable intervention of Peter Zatko, nicknamed Mudge. And the problems should not a priori stop there. Already under the inquisitive eye of the American Congress, the practices of Twitter could now interest the policemen of European personal data.

According to the Figaro, the Cnil – and the DPC, its Irish equivalent – ​​are already putting their noses in this case. “The elements concerning the Cnil must be analyzed in depth, so at this stage we are not in a position to confirm or deny the accuracy of the breaches invoked. If the accusations prove to be correct, the Cnil could carry out checks likely to lead to a formal notice or a sanction if breaches were noted.“, explained the Cnil to Figaro. The DPC has “started a dialogue with Twitter about it“, according to Techcrunch.

Advertising, your content continues below

Twitter facing the GDPR

Twitter’s practices, if confirmed, may well violate the General Data Protection Regulation (GDPR). If undeclared data leaks have taken place, this contravenes article 33 of the European text which requires “that in the event of a personal data breach, the controller notifies the breach in question to the competent supervisory authority“. Not deleting an account after the request of an Internet user is condemned by article 17, which specifies that “the data subject has the right to obtain from the controller the erasure, as soon as possible, of personal data concerning him or her“.

As if that were not enough, the Cnil and the DPC are quoted directly in the letter that Peter Zatko sent to the American authorities. In early 2022, the two independent authorities wanted to ask Twitter for a right to inspect the data used by Twitter to feed its sorting algorithm. According to Mudge’s testimony, Twitter allegedly lied to US authorities when they made the same request to him, and “a privacy officer told Mudge that Twitter was going to attempt the same deception” with the European authorities. An honest response would, according to Peter Zatko, reveal that Twitter had committed “significant copyright and intellectual property violations“.

The blue bird network therefore does not seem to be out of the brambles, and we cannot exclude that other twists and turns will make it falter again in the coming weeks.

Advertising, your content continues below

Advertising, your content continues below