Is Elon Musk’s Twitter about to fall out of the GDPR’s one-stop shop?

Helmed by erratic new owner Elon Musk, Twitter is no longer fulfilling key obligations required for it to claim Ireland as its so-called “main establishment” under the European Union’s General Data Protection Regulation (GDPR), a source familiar with the matter has told TechCrunch.

Our source, who is well placed, requested and was granted anonymity owing to the sensitivity of the issue — which could have major ramifications for Twitter and for Musk.

Like many major tech firms with customers across the European Union, Twitter currently avails itself of a mechanism in the GDPR known as the one-stop shop (OSS). This is beneficial because it allows the company to streamline regulatory administration by being able to engage exclusively with a lead data supervisor in the EU Member State where it is ‘main established’ (in Twitter’s case Ireland), rather than having to accept inbound from data protection authorities across the bloc.

However, under Musk’s chaotic reign — which has already seen a fast and deep downsizing of Twitter’s headcount, kicking off with layoffs of 50% of staff earlier this month — questions are being asked over whether its main establishment status in Ireland for the GDPR still holds or not.

The resignation late last week of key senior personnel responsible for ensuring security and privacy compliance looks like a canary in the coal-mine when it comes to Twitter’s regulatory situation — with CISO Lea Kissner; chief privacy officer Damien Kieran; and chief compliance officer Marianne Fogarty all walking out the door en masse.

It’s not clear whether any adequately qualified individuals will be willing to step into these critical compliance roles for privacy and security at Twitter given the current Musk-driven craziness — since anyone signing up for that level of responsibility risks opening themselves up to personal liability should regulatory requirements be breached on their watch.

As we reported Friday, Musk’s attorney and now head of legal at Twitter, Alex Spiro — who has reportedly been given a key role in the overhaul of the platform — emailing all staff on behalf of “Elon” to claim they face no personal liability will surely sound alarm bells at regulators over Twitter’s direction of travel.

Last week, The Verge also reported on turmoil inside Twitter’s privacy and security function as standard review procedures were dispensed with and engineers were asked to “self certify” compliance with FTC rules. Its report also cited an unnamed company lawyer who it said had Slacked employees to warn them that changes to how Twitter operates is piling personal, professional and legal risk onto engineers instructed to implement Musk’s will regardless of consequences.

Under the EU’s GDPR, meanwhile, Twitter is obliged — in just one very basic requirement — to have a data protection officer (DPO) to provide a contact point for regulators.

Hence the departure of Kieran, its first and only DPO since the role was created at the company in 2018, has not gone unnoticed by its data protection watchdog in Ireland — as we also reported Friday. But the Irish Data Protection Commission (DPC)’s concerns are already spiralling wider than Twitter’s compliance with notifications about core personnel: Last week, the authority — currently Twitter’s lead EU DPA under the GDPR’s OSS — put the social media firm on watch by signalling public concern when it said it would be putting questions to the company about the status of its main establishment in Ireland at a meeting scheduled for early this week, to discuss all the recent privacy changes since the Musk takeover.

Twitter has not commented publicly on the DPC’s warning nor on the departures of senior regulator-facing staffers. Indeed, since Musk took over, its communications department appears to have been dismantled and the company no longer responds to press requests for comment — so it was not possible to obtain an official statement from Twitter about these departures or on the substance of our report. (We’re happy to add a response if Twitter or Musk wants to send us one.)

For Twitter’s business itself, there are a number of potential consequences in play if its ability to meet regulatory requirements falls.

If the DPC assesses (or is informed by Musk) that it no longer has its main establishment in Ireland the company will crash out of the OSS — opening it up to being regulated by data protection authority across the bloc’s 27 Member States which would become competent to oversee its business.

In practice, that means any EU data protection authority would be able to act directly on concerns it has that local users’ data is at risk — with the power to instigate their own investigations and take enforcement actions. So Ireland’s more business friendly regulator would no longer be leading the handling of any GDPR concerns about Twitter; probes could be simultaneously opened up all over the EU — including in Member States like France and Germany where data protection authorities have a reputation for being quicker to the punch (and/or more aggressive) in responding to complaints compared to Ireland.

If Twitter loses its ability to claim main establishment in Ireland it would therefore drastically amp up the complexity, cost and risk of achieving GDPR compliance. (Reminder: Penalties under the regulation can scale up to 4% of annual global turnover — so these are not rules a normal CEO would ignore.)

The GDPR does not set out specific criteria for assessing main establishment. But, in Twitter’s case — in order for it to be able to fulfil the regulation’s requirement of “effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements” actually taking place locally, in Ireland, despite Twitter product development being led out of the US — we understand that the company devised a careful legal framework which was designed to empower an Irish entity to be the data controller for EU users by ensuring that this Ireland-located Twitter company, which has its own board of directors subject to Irish law, has oversight of and influence on US-led product development.

The structure Twitter was relying upon to participate in the GDPR’s OSS includes a system of mandatory privacy and security reviews for new products — to enable the Irish entity to insert its feedback and exert influence over product development.

Under this framework, the board of the Irish company was able to raise concerns about planned new features ahead of launch, with input then fed back to US product development teams to be incorporated into products before launch — thereby, assuming the protocol was correctly followed, empowering a local decision making capacity inside the EU.

However, per our source, the situation at Twitter since Musk took over is that no information is being provided about what products are being worked on in the US to the Irish entity’s management — nor is the Irish entity’s management able to provide any input into any product Musk is working on since it is not being kept apprised of what’s being developed.

Products in development at Twitter are not even being submitted into review pipelines any more, much less getting reviews before being shipped, according to our source, who told us the system has essentially stopped operating.

“Solving for the OSS is going to be a nightmare because that was already a complicated dance for Twitter’s old management — because it was a situation where you had two employees, effectively, who were lower down the pecking order of the company, the directors of the Irish entity, who are directing the US entity what to do,” this person said, adding: “But in a world where Elon is sole king, dictator, everything you want some employees based in Dublin to try and give feedback to this guy? Who? That’s never going to work.”

Our source’s account of abandoned review processes aligns with the Verge‘s reporting of normal security and privacy reviews being thrown into turmoil on Musk taking over.

Its report cites an employee who told is the revamped Blue subscription disregarded the normal review process — with a “red team” only reviewing potential risks the night before launch, meaning they were not provided with enough notice or time to be able to conduct a comprehensive check, plus, in any case, none of their recommendations were implemented prior to the product’s relaunch.

The function of the product review pipeline where Twitter’s reliance on the OSS and GDPR is concerned, is more specific: It’s to act as a conduit for information to flow between US-based Twitter’s product development teams, critical privacy and security review teams and staffers, and the Irish oversight entity — to enable a crucial decision-making capability to exist in the EU which meets a regulatory bar. So if the Irish entity is no longer in the loop on product decisions it’s difficult to see how Twitter can credibly continue to participate in the OSS.

We understand that the Irish entity has two remaining board members — both of whom are located in Ireland. The board requires a minimum of two board members to be located in Ireland, under Irish law, in order to have a quorum. (The Irish entity previously had a third board member — who was located in the US — but that person appears to have left Twitter last month.)

As far as we are aware, the two remaining Irish entity board members are still employed by Twitter (for now) — but our source’s view is that the situation is already untenable, given the board is being cut out of decision making as Musk overrides the established oversight system for product review (and — seemingly — ignores and/or is unaware of the regulatory requirements it was designed to meet).

The system Twitter devised to avail itself of the GDPR’s OSS is known to its Irish regulator — which holds detailed documentation on its structure and is supposed to be kept informed of how its functioning on an ongoing basis, such as by receiving minutes of board meetings. So it should not take long for any failure of established essential processes to become obvious to the DPC.

We reached out to the DPC for a response to our source’s account of how the OSS is already broken — but at press time we had not been able to reach our contact at the regulator.

If Twitter seeks to claim that it remains compliant with the OSS requirement of a main establishment in the EU — in spite of glaring personnel and process gaps and Musk’s very public and cavalier approach to rapidly iterating product development (which has already missed glaringly obvious risks like paid verification leading to a wave of impersonation) — it will be up to the DPC to make an assessment of whether the OSS still stands or not.

That said, other EU watchful DPAs may not sit on their hands waiting in the meanwhile. Under the GDPR, all these bodies have powers to make emergency interventions in certain circumstances that lets them derogate from the OSS — such as if they feel there is a pressing risk to local users data. So we could see other DPAs reaching for Article 66 powers and implementing own urgency procedures against Twitter in their own markets.

The information coming out of Twitter currently (either unofficially, via media leaks, or via Musk’s cryptic tweets) certainly paints a picture of a drastic rewriting (or tearing up) of how product decisions and development is being done — with the Tesla and SpaceX CEO at the center of decision making and remaining staffers scrambling to keep up with his mercurial/ridiculous demands.

As well as mass sackings, Musk’s chaotic first days at Twitter have featured a flurry of radical yet obviously ill-thought-through product changes and rapid-fire launches — followed by equally erratic revisions, u-turns and product suspensions as obvious problems zoomed into view.

This has included the aforementioned bizarre reworking of an existing Twitter subscription product (Twitter Blue) which added the ability for users to pay to receive a blue checkmark the platform had previously applied only to high profile and other notable accounts to act as a verification and authenticity signal (not a revenue driver) — but without Twitter performing any verification check of these paying customers identities at all.

Impersonation chaos immediately ensued — as did more chaos: An “official” badge/second grey checkmark was rushed out by certain staff at Twitter, seemingly in a bid to reapply a layer of critical verification to key accounts, yet got killed almost immediately by Musk with little public explanation.

By Friday, the platform appeared to have paused the Blue subscription after widespread abuse of the paid verification feature — although Musk also tweeted that it would “probably” return by the end of this week.

In recent days, Musk has also tweeted to suggested a raft of other incoming changes — such as stipulating mandatory parody disclosures (apparently in a bid to limit abuse of paid verifications) — and touting another feature coming “soon” that he said will involve Twitter enabling “organizations to identify which other Twitter accounts are actually associated with them” (whatever that means).

One Twitter staffer — apparently elevated to help implement Musk’s radical rethink of Twitter Blue — recently tweeted that “there are no sacred cows in product at Twitter anymore”.

Musk’s take on the new modus operandi was blunter: He tweeted last week that Twitter “will do lots of dumb things in the coming months” — and “keep what works & change what doesn’t”.

If that’s not a red rag encouraging a regulatory clamp down, nothing is…

It’s anyone’s guess what’s actually going on with Twitter product development. But that’s not just a problem for confused Twitter users (and advertisers) trying to understand how the platform is changing and what it might mean for the quality of the information being surfaced, it’s a growing nightmare for Twitter — exactly because the company has legal obligations to keep regulators informed.

If it fails to do that it’ll be compliance cost and risk spiralling out of control — with the potential for a total car crash scenario smashing the business (per the internal lawyer’s note to Twitter employees obtained by the Verge last week, an FTC penalty for Twitter breaching the consent order could run into the billions of dollars); and smashing any remaining staff who are exposed to personal liability (such as those agreeing to work in ways that run counter to the terms of the FTC consent decree).

(In a separate example, the former head of security at Uber was recently found guilty of criminal obstruction — and could face jail time — after a federal jury in San Francisco found he had obstructed justice and concealed knowledge after he sought to hide information about a 2016 data breach at Uber from the public and the Federal Trade Commission which had been investigating the incident — and, in that case, Uber did not already have an FTC consent decree in place — unlike Twitter.)

On the GDPR side, if Twitter gets exposed to decentralized oversight across the EU by falling out of the OSS it could lead to major headaches as it could be hit with multiple GDPR fines by watchdogs all over the region — each of up to 4% of its annual turnover. So a pipeline of such fines could quickly start to add up for Twitter (which Musk has already claimed could face bankruptcy).

On top of that the administrative drain for Twitter’s business of having to deal with multiple EU regulators would scale the cost and complexity of GDPR compliance, swaddling what is a shrinking (and already creaking) resource in reams of additional red tape — in a way that could tip the platform further over the edge into total business breakdown.

Alarm bells should thus be blaring very loudly indeed that Twitter’s new owner appears too spaced out to understand — or care — about maintaining critical structures that exist to ensure the business can operate in a way that’s — up til now — kept regulators at a watchful distance, avoiding a whole world of regulatory pain falling on and crushing the life out of the bird.

Is Elon Musk’s Twitter about to fall out of the GDPR’s one-stop shop? by Natasha Lomas originally published on TechCrunch