Privacy regulators in Ireland have launched an investigation into exactly how much data Twitter collects from t.co, its URL-shortening system.
The investigation stems from a request made by a UK professor named Michael Veale under the General Data Protection Regulation (or GDPR), a comprehensive European privacy law that took effect in May. Under the GDPR, EU citizens have a right to request any data collected on them from a given company — but when Veale made that request to Twitter, the company claimed it had no data from its link-shortening service. Veale was skeptical, and wrote to the relevant privacy regulator to see if Twitter was holding back some of his data.
Now, that investigation seems to be underway. The investigation, first reported by Fortune, is confirmed in a letter sent to Veale by the office of the Irish Data Privacy Commissioner.
“The DPC has initiated a formal statutory inquiry in respect of your complaint,” the letter reads. “The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Data Protection] Act have been contravened by Twitter in this respect.”
Initially designed as a way to save characters in the limited space of a tweet, link-shortening has also proved to be an effective tool at fighting malware and gathering rudimentary analytics. Those analytics services can also present a significant privacy risk when when used in private messages. Both Facebook and Twitter have faced lawsuits for collecting data on links shared in private messages, although no wrong-doing was conclusively established in either case.
Twitter declined to comment when contacted, saying only that it was “actively engaged” with the Irish Data Privacy Commissioner.