Data Protection Commission launches inquiry into Twitter concerning datasets

23rd December 2022

The Data Protection Commission (‘the DPC’) today launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 (‘the Act’) in relation to multiple international media reports, which highlighted that one or more collated datasets of Twitter user personal data had been made available on the internet. These datasets were reported to contain personal data relating to approximately 5.4 million Twitter users worldwide. The datasets were reported to map Twitter IDs to email addresses and/or telephone numbers of the associated data subjects. The DPC corresponded with Twitter International Unlimited Company (‘TIC’) in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance. TIC engaged with the DPC and subsequently furnished a number of responses.

The DPC, having considered the information provided by TIC regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed in relation to Twitter Users’ personal data.

Accordingly, the DPC considers it appropriate to determine whether TIC has complied with its obligations, as controller, in connection with the processing of personal data of its users or whether any provision(s) of the GDPR and/or the Act have been, and/or are being, infringed by TIC in this respect.