Derek Mooney writes: Understandably, much of the comment and analysis of the Twitter job cuts has focussed on the breaches of EU laws on collective redundancies and employee information and consultation. These concerns have not just been limited to the UK and EU. The job cuts and the manner in which they were executed, probably breach laws in many other jurisdictions, including Korea.
However, back in the EU… and most specifically, Dublin… the focus is now moving to another emerging regulatory concern: GDPR. Many now wonder whether Twitter’s main establishment status in Ireland still holds. The mass dismissals triggered several key Twitter resignations, particularly those senior personnel responsible for ensuring security and privacy compliance. CISO Lea Kissner, chief privacy officer Damien Kieran, and chief compliance officer Marianne Fogarty all quit. Kieran has been Twitter’s first and only DPO since the role was created in 2018. Under the GDPR, Twitter is obliged to have a data protection officer (DPO) to provide a contact point for regulators.
The departure of Twitter’s DPO has caused the Irish Data Protection Commission, Twitter’s lead regulatory authority in the EU, to put Twitter on watch. Deputy Commissioner, Graham Doyle, told TechCrunch last week that Twitter had not informed the DPC of the DPO’s departure prior to the media reports and that it was in contact the company about the DPR’s departure and the consequences of this for the location of Twitter’s main establishment in Ireland. Doyle told TechCrunch
“One of the issues that we want to discuss is the issue around main establishment… They’re obliged to have a data protection officer in place and provide us with the details but equally, under the [GDPR] one-stop-shop (OSS) mechanism in order to get a main establishment to engage with one regulator, the decision-making processes — in terms of the processing of EU data — needs to take place in that country. That’s one of the principles of main establishment. And what we want to establish is that that is continuing to be the case for Twitter.”
As TechCrunch explains in a more detailed follow-up article, this is no mere technical matter.
While Twitter product development has always been led out of the U.S., the company devised a legal framework to empower its Ireland-located Twitter company to be the data controller for EU users by ensuring that it had oversight of and influence on U.S.-led product development. This bottom-up approach, with less senior folks in Dublin conducting mandatory privacy and security reviews and having influence over product development back in the U.S. allowed Twitter to hold its GDPR One-Stop-Shop status and access to Europe.
But where does this delicate balance stand in the new Musk-driven, more top-down approach?
The recent “confusion” over Blue Ticks, subscriptions and user verification systems does suggest that new products in development are not being submitted into review pipelines anymore, never mind getting reviews and feedback from folks in Dublin before launch.
While the Irish DPC has a record of working constructively with those companies it regulates to overcome and address such problems, several other – more activist and - data regulators across the EU are watching carefully. Others may exercise their Art 66 powers and act against Twitter in their own markets as GDPR gives them the power to make emergency interventions if they feel there is a pressing risk to local users’ data.