If You Thought The FTC Was Going To Fuck Over Elon, Just Wait Until He Learns About The EU
from the this-won't-end-well dept
We’ve already pointed out that the new Twitter under Elon Musk may be facing some big challenges from the FTC in the US. The company is under a consent decree, and it’s not clear that Musk is complying with the terms of the consent decree. And unlike SEC violations, violating an FTC consent decree can hurt. Between the FTC and the DOJ, they can make it hurt. The fact that basically all of the remaining Twitter execs whose necks were on the line for potentially violating the FTC consent decree quit at the same time should tell you something (I guarantee it told the FTC something).
That said, the FTC may be the least of Musk’s problems once the EU gets ahold of him. Natasha Lomas, over at TechCrunch, has an interesting article detailing how the Musk-run Twitter may be falling out of compliance with the GDPR in the EU. That’s potentially a big deal, given that the GDPR can lead to pretty massive fines.
Under the EU’s GDPR, meanwhile, Twitter is obliged — in just one very basic requirement — to have a data protection officer (DPO) to provide a contact point for regulators.
Hence the departure of Kieran, its first and only DPO since the role was created at the company in 2018, has not gone unnoticed by its data protection watchdog in Ireland — as we also reported Friday. But the Irish Data Protection Commission (DPC)’s concerns are already spiraling wider than Twitter’s compliance with notifications about core personnel: Last week, the authority — currently Twitter’s lead EU DPA under the GDPR’s OSS — put the social media firm on watch by signaling public concern when it said it would be putting questions to the company about the status of its main establishment in Ireland at a meeting scheduled for early this week, to discuss all the recent privacy changes since the Musk takeover.
Twitter has not commented publicly on the DPC’s warning nor on the departures of senior regulator-facing staffers. Indeed, since Musk took over, its communications department appears to have been dismantled and the company no longer responds to press requests for comment — so it was not possible to obtain an official statement from Twitter about these departures or on the substance of our report.
Not great! And, timing wise, it’s potentially much, much worse. Though, to understand why you need to know a bit of what’s been happening in the EU under the GDPR (something I’d pretty much guarantee that Musk has no idea about, though Twitter’s mostly departed legal team most likely did).
Right now there’s a bit of a turf war over the GDPR. You see, as it stands, under this “one-stop shop” (OSS) policy, Twitter really only has to deal with the Irish data protection authority (DPA). Indeed, a bunch of American tech companies have all basically done the same thing in the (possibly correct!) belief that the Irish DPC is probably the most business/innovation friendly of the various DPAs out there.
And that’s been pissing off Brussels. As we reported earlier this year, EU officials in Brussels have been whining that the GDPR has been a mess, but reading between the lines, they’re really complaining that the Irish DPC simply hasn’t been willing to stand up to American tech companies and fine them for things that the folks in Brussels are mad about. The technocrats in Brussels have been making noises about updating the GDPR to effectively take power out of the hands of the local DPAs, and to stop tech companies from forum shopping for DPAs.
So… that means, right now, the Irish DPC has tremendous incentive to find a head to scalp to prove that it’s up to the task of regulating data protection issues within American tech companies.
Enter Elon Musk (and exit everyone who could have explained this to him).
It could get even worse, as described above in the TechCrunch article, because by screwing up the OSS process, Twitter could open itself up to facing regulatory scrutiny from other, much, much, less forgiving DPAs:
If the DPC assesses (or is informed by Musk) that it no longer has its main establishment in Ireland, the company will crash out of the OSS — opening it up to being regulated by the data protection authority across the bloc’s 27 Member States, which would become competent to oversee its business.
In practice, that means any EU data protection authority would be able to act directly on concerns it has that local users’ data is at risk — with the power to instigate their own investigations and take enforcement actions. So Ireland’s more business-friendly regulator would no longer be leading the handling of any GDPR concerns about Twitter; probes could be simultaneously opened up all over the EU — including in Member States like France and Germany where data protection authorities have a reputation for being quicker to the punch (and/or more aggressive) in responding to complaints compared to Ireland.
If Twitter loses its ability to claim main establishment in Ireland, it would therefore drastically amp up the complexity, cost and risk of achieving GDPR compliance. (Reminder: Penalties under the regulation can scale up to 4% of annual global turnover — so these are not rules a normal CEO would ignore.)
So, all this fucking around seems likely to turn into “finding out” no matter what. The Irish DPC has strong incentives to make an example of Twitter… and if it does not, then lots of others may pile on instead.
That said, the TechCrunch article also includes some kind of eye-opening details that I don’t recall being mentioned publicly before:
The structure Twitter was relying upon to participate in the GDPR’s OSS includes a system of mandatory privacy and security reviews for new products — to enable the Irish entity to insert its feedback and exert influence over product development.
Under this framework, the board of the Irish company was able to raise concerns about planned new features ahead of launch, with input then fed back to U.S. product development teams to be incorporated into products before launch — thereby, assuming the protocol was correctly followed, empowering a local decision-making capacity inside the EU.
However, per our source, the situation at Twitter since Musk took over is that no information is being provided about what products are being worked on in the U.S. to the Irish entity’s management — nor is the Irish entity’s management able to provide any input into any product Musk is working on since it is not being kept apprised of what’s being developed.
Products in development at Twitter are not even being submitted into review pipelines anymore, much less getting reviews before being shipped, according to our source, who told us the system has essentially stopped operating.
So… that seems… not great? I mean, it is very much inline with the EU view of regulation where they often believe regulators should be seen as “partners” with the tech companies, but it still seems highly questionable that the company would allow Irish regulators “to insert… feedback and exert influence over product development.” If that’s an accurate portrayal of the situation, then it would be a good thing for Musk to cut it off, though it’s unclear if this was done on purpose or through sheer cluelessness.
And, of course, things are only likely to get worse for Elon in the EU. The DSA is coming into effect on January 1, 2024. And it’s going to be a huge mess. Like a tremendously big mess. But as we discussed on the podcast in that link, over the next year, there is still a lot of work to be done, often by the big tech companies, to define the exact parameters of how the DSA will work in practice.
Yes, there is some nonsense in the fact that the law is already passed and set to go into effect, but the actual rules are still being written, but that’s the process, so you have to deal with it. For the past few years, as we’ve pointed out, Twitter has been a vocal participant in the dialogue around the DSA, and has done a fair bit to push the final rules in better directions (it could have been much, much worse).
It’s unclear how (or if) an Elon-run Twitter will continue participating. Yes, back in May, Elon met with Thierry Breton, who is leading the process for the DSA, and made some monumentally stupid remarks saying he completely agreed with the DSA’s approach, which will lead to tremendous government-induced censorship. And Breton has been salivating ever since, even gleefully (and somewhat obnoxiously) tweeting about how the EU will control Twitter’s content moderation going forward:
None of that bodes well for Twitter in the EU going forward. Right now is when Twitter should be heavily engaged in helping to define the actual rules under the DSA and how the company will interact with EU enforcers. But I can’t imagine there are many people left at Twitter who even know this is happening.
Yes, I’m sure when the EU comes down on Elon’s Twitter, he’ll whine about the unfairness of government regulations. And, in some cases with the EU, he’s not wrong. But, he should at least be aware of the fucking process, and how it’s playing out right now, rather than just ignoring it entirely and then complaining when they crush him later.