If You Thought The FTC Was Going To Fuck Over Elon, Just Wait Until He Learns About The EU

from the this-won't-end-well dept

We’ve already pointed out that the new Twitter under Elon Musk may be facing some big challenges from the FTC in the US. The company is under a consent decree, and it’s not clear that Musk is complying with the terms of the consent decree. And unlike SEC violations, violating an FTC consent decree can hurt. Between the FTC and the DOJ, they can make it hurt. The fact that basically all of the remaining Twitter execs whose necks were on the line for potentially violating the FTC consent decree quit at the same time should tell you something (I guarantee it told the FTC something).

That said, the FTC may be the least of Musk’s problems once the EU gets ahold of him. Natasha Lomas, over at TechCrunch, has an interesting article detailing how the Musk-run Twitter may be falling out of compliance with the GDPR in the EU. That’s potentially a big deal, given that the GDPR can lead to pretty massive fines.

Under the EU’s GDPR, meanwhile, Twitter is obliged — in just one very basic requirement — to have a data protection officer (DPO) to provide a contact point for regulators.

Hence the departure of Kieran, its first and only DPO since the role was created at the company in 2018, has not gone unnoticed by its data protection watchdog in Ireland — as we also reported Friday. But the Irish Data Protection Commission (DPC)’s concerns are already spiraling wider than Twitter’s compliance with notifications about core personnel: Last week, the authority — currently Twitter’s lead EU DPA under the GDPR’s OSS — put the social media firm on watch by signaling public concern when it said it would be putting questions to the company about the status of its main establishment in Ireland at a meeting scheduled for early this week, to discuss all the recent privacy changes since the Musk takeover.

Twitter has not commented publicly on the DPC’s warning nor on the departures of senior regulator-facing staffers. Indeed, since Musk took over, its communications department appears to have been dismantled and the company no longer responds to press requests for comment — so it was not possible to obtain an official statement from Twitter about these departures or on the substance of our report.

Not great! And, timing wise, it’s potentially much, much worse. Though, to understand why you need to know a bit of what’s been happening in the EU under the GDPR (something I’d pretty much guarantee that Musk has no idea about, though Twitter’s mostly departed legal team most likely did).

Right now there’s a bit of a turf war over the GDPR. You see, as it stands, under this “one-stop shop” (OSS) policy, Twitter really only has to deal with the Irish data protection authority (DPA). Indeed, a bunch of American tech companies have all basically done the same thing in the (possibly correct!) belief that the Irish DPC is probably the most business/innovation friendly of the various DPAs out there.

And that’s been pissing off Brussels. As we reported earlier this year, EU officials in Brussels have been whining that the GDPR has been a mess, but reading between the lines, they’re really complaining that the Irish DPC simply hasn’t been willing to stand up to American tech companies and fine them for things that the folks in Brussels are mad about. The technocrats in Brussels have been making noises about updating the GDPR to effectively take power out of the hands of the local DPAs, and to stop tech companies from forum shopping for DPAs.

So… that means, right now, the Irish DPC has tremendous incentive to find a head to scalp to prove that it’s up to the task of regulating data protection issues within American tech companies.

Enter Elon Musk (and exit everyone who could have explained this to him).

It could get even worse, as described above in the TechCrunch article, because by screwing up the OSS process, Twitter could open itself up to facing regulatory scrutiny from other, much, much, less forgiving DPAs:

If the DPC assesses (or is informed by Musk) that it no longer has its main establishment in Ireland, the company will crash out of the OSS — opening it up to being regulated by the data protection authority across the bloc’s 27 Member States, which would become competent to oversee its business.

In practice, that means any EU data protection authority would be able to act directly on concerns it has that local users’ data is at risk — with the power to instigate their own investigations and take enforcement actions. So Ireland’s more business-friendly regulator would no longer be leading the handling of any GDPR concerns about Twitter; probes could be simultaneously opened up all over the EU — including in Member States like France and Germany where data protection authorities have a reputation for being quicker to the punch (and/or more aggressive) in responding to complaints compared to Ireland.

If Twitter loses its ability to claim main establishment in Ireland, it would therefore drastically amp up the complexity, cost and risk of achieving GDPR compliance. (Reminder: Penalties under the regulation can scale up to 4% of annual global turnover — so these are not rules a normal CEO would ignore.)

So, all this fucking around seems likely to turn into “finding out” no matter what. The Irish DPC has strong incentives to make an example of Twitter… and if it does not, then lots of others may pile on instead.

That said, the TechCrunch article also includes some kind of eye-opening details that I don’t recall being mentioned publicly before:

The structure Twitter was relying upon to participate in the GDPR’s OSS includes a system of mandatory privacy and security reviews for new products — to enable the Irish entity to insert its feedback and exert influence over product development.

Under this framework, the board of the Irish company was able to raise concerns about planned new features ahead of launch, with input then fed back to U.S. product development teams to be incorporated into products before launch — thereby, assuming the protocol was correctly followed, empowering a local decision-making capacity inside the EU.

However, per our source, the situation at Twitter since Musk took over is that no information is being provided about what products are being worked on in the U.S. to the Irish entity’s management — nor is the Irish entity’s management able to provide any input into any product Musk is working on since it is not being kept apprised of what’s being developed.

Products in development at Twitter are not even being submitted into review pipelines anymore, much less getting reviews before being shipped, according to our source, who told us the system has essentially stopped operating.

So… that seems… not great? I mean, it is very much inline with the EU view of regulation where they often believe regulators should be seen as “partners” with the tech companies, but it still seems highly questionable that the company would allow Irish regulators “to insert… feedback and exert influence over product development.” If that’s an accurate portrayal of the situation, then it would be a good thing for Musk to cut it off, though it’s unclear if this was done on purpose or through sheer cluelessness.

And, of course, things are only likely to get worse for Elon in the EU. The DSA is coming into effect on January 1, 2024. And it’s going to be a huge mess. Like a tremendously big mess. But as we discussed on the podcast in that link, over the next year, there is still a lot of work to be done, often by the big tech companies, to define the exact parameters of how the DSA will work in practice.

Yes, there is some nonsense in the fact that the law is already passed and set to go into effect, but the actual rules are still being written, but that’s the process, so you have to deal with it. For the past few years, as we’ve pointed out, Twitter has been a vocal participant in the dialogue around the DSA, and has done a fair bit to push the final rules in better directions (it could have been much, much worse).

It’s unclear how (or if) an Elon-run Twitter will continue participating. Yes, back in May, Elon met with Thierry Breton, who is leading the process for the DSA, and made some monumentally stupid remarks saying he completely agreed with the DSA’s approach, which will lead to tremendous government-induced censorship. And Breton has been salivating ever since, even gleefully (and somewhat obnoxiously) tweeting about how the EU will control Twitter’s content moderation going forward:

None of that bodes well for Twitter in the EU going forward. Right now is when Twitter should be heavily engaged in helping to define the actual rules under the DSA and how the company will interact with EU enforcers. But I can’t imagine there are many people left at Twitter who even know this is happening.

Yes, I’m sure when the EU comes down on Elon’s Twitter, he’ll whine about the unfairness of government regulations. And, in some cases with the EU, he’s not wrong. But, he should at least be aware of the fucking process, and how it’s playing out right now, rather than just ignoring it entirely and then complaining when they crush him later.

Filed Under: , , , , , ,
Companies: twitter

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “If You Thought The FTC Was Going To Fuck Over Elon, Just Wait Until He Learns About The EU”

Subscribe: RSS Leave a comment
43 Comments
Anonymous Coward says:

the GDPR (something I’d pretty much guarantee that Musk has no idea about

Musk really should know about it, particularly given Tesla’s propensity to remotely access customers’ cars and fuck around with them (disabling features etc.) and use private information to refute public claims. Not only does Tesla sell cars into Europe, and collect data via European cellular networks, they have European employees and factories—so there’s no question of jurisdiction.

PaulT (profile) says:

Re:

That doesn’t mean he knows about it, just that he hasn’t fired the people who deal with those sorts of issues – if they’re complying.

If they’re not complying, then that’s 2 major targets Musk has painted with this nonsense.

I’d imagine he has some kind of knowledge of its existence (I imagine some heated meetings about why certain features have to differ on EU models), but in terms of day to day implementation I’d guess he leaves that to other people as it doesn’t seem to be the type of thing he would concern himself with until it affects him personally.

This comment has been deemed insightful by the community.
Anonymous Coward says:

Re: Re:

he hasn’t fired the people who deal with those sorts of issues

Well, no; as the story states, they’re resigning en masse, at least from Twitter.

in terms of day to day implementation I’d guess he leaves that to other people

It’s perfectly reasonable for a CEO to leave details to other people. Mike’s subtext, I think, it that it’s not really happening. Maybe Musk is obstructing or overruling them, or only wants sycophants in the boardroom, or is screaming “LA LA LA I CAN’T HEAR YOU”; I don’t know. But I’ll bet you they warned Musk that something was wrong, including at least some bullet points about the GDPR, before walking out the door, and before government officials and sites like Techdirt starting talking publically about it. We’ll see those e-mails when the lawsuits come, and then the courts aren’t gonna buy the “how could I have possibly known?” excuse.

christenson says:

Re: Re: Re: who can sue Elon and have standing?

The trouble is, twitter is now a privately held company, so there’s not a bunch of shareholders out there to sue like there is in Tornetta v Musk (the compensation case in Chancery at trial this week)

So to have standing to sue, you’ll need to be one of:
a) an employee (because employment law)
b) one of Elon’s co-owners
c) one of the lending bankers (because the loans are going to default — no idea whether there’s anything in there about reasonable business behavior or not)
d) the Gubmn’t, as in FTC or SEC (because consent decrees)

SEC looks doubtful, though Musk was in trouble for not having a tweet minder before he took twitter private.

David says:

Frankly

Never mind the FTC or the EU. With regard to who is going to fuck over Elon, they have to get in line behind, well, himself.

According to recent news, he told his staff that they will have to do “hardcore” work and overtime or get three months of severance.

Which means that everybody who is skilled enough to get a job elsewhere will leave, leaving mediocre staff working overtime. Which does not bode well for anything innovative getting done at all: everybody will be too busy just preventing the wheels from flying off.

He had a pretty good run, becoming the richest person on Earth. Lots of billionaires are pondering “giving everything to charity”, but the way it looks, Musk is so hellbent on driving everything into the ground that he’ll be more likely to end up giving everything to bankruptcy courts.

This is so blisteringly stupid that one has to wonder whether he found a recreational drug that is a particularly bad idea or swapped brains with Trump or both.

That One Guy (profile) says:

Re: Choices choices

‘Let’s see, in exchange for probably getting severance pay I can double and triple down for an unknown amount of time on a job that’s only going to get more difficult and stressful as more people leave and those left have to pick up the slack, to scramble to keep the system from burning down around me after everyone who kept it running left or were fired, all the while the boss is one tantrum away from canning me anyway.

Alternatively I can start looking for another job now…’

This comment has been flagged by the community. Click here to show it.

Christenson says:

Re: Re: A Message Common Carrier like twitter...

Mr Falik, Sir, you are hallucinating. Legally, twitter is not a common carrier, and it is exposed to no legal liability for moderation in the US. The consequences of what it does or does not moderate are purely twitter’s problem (and to some degree the users) and the courts will not get involved in moderation decisions.

Twitter is not a common carrier, even though it offers its services for free on a more or less evenhanded basis to all comers, any more than Truth Social, Parler, or, for that matter, this here Techdirt site.

In the US at least, the first amendment, aided by the famous section 230, says that if you post something illegal on a website, you, not the website are the proper party to face the legal consequences (maybe a lawsuit, maybe criminal prosecution), and further that calculus does not change in the face of the website removing or moderating content for any or no reason. Section 230 aids that by allowing websites that get sued (for example, because ISIS recruited terrorists with videos on Youtube) to move for dismissal before a lawsuit reaches the discovery stage. That’s a real example, and Techdirt has covered it, if you are curious.

Also, it seems that since Techdirt is reasonably well-moderated (thanks Leigh Beadon and helpers!), the necessity of moderating out “The worst people” in order to keep the main audience is invisible to you. You can see the camel’s nose of the worst people under the tent periodically when the occasional spam message makes it past the filtering process and we all flag it, or the last month or so where Koby has been making Techdirt less pleasant for everyone and his comments were very often flagged and hidden.

If you want a much more egregious example of what happens without moderation, look up an archive of a usenet news group and browse a little at the earliest posts you can find and then at the last posts you can find. A quick glance at 20 or so posts should make the effect quite obvious.

Anonymous Coward says:

Re: Re:

Wonder how many employees are exercising fixed value options while Twitter can still honor the purchases?

None, because they won’t be able to unload them, the fixed price being already higher than the current value (which is not looking to get much higher). Better to cut one’s losses, unless a tax write-off is needed at the end of the year….

This comment has been flagged by the community. Click here to show it.

ThorsProvoni (profile) says:

My Litigation Could Wipe Out Twitter

Despite Musk’s avowed free speech policy, Twitter has basically told me to bring it on.

You can read the current draft at: petition to SCOTUS for a writ of certiorari to the Court of Appeals for the First Circuit.

You can read a short summary at 9th Amendment Challenge to Social Medium Abuse.

This comment has been deemed insightful by the community.
Bloof (profile) says:

He’s used to being able to either bribe or bully the regulators he meets, but he’s not going to know what hit him in this case. ‘Imma gonna ignore you and if you take action, threaten to move to Texas’ isn’t going to work outside of the US, nor is siccing your cult of internet neckbeards on them.

Ali says:

““to insert… feedback and exert influence over product development.” If that’s an accurate portrayal of the situation, then it would be a good thing for Musk to cut it off, ”

Why would this be a good thing? As someone who sometimes works with EU agencies in the normal course of my job the feedback mechanism is something along the lines “If you do this thing like this, you’re likely going to breach that, please don’t” and very very rarely they come up with “it might be better if you do it this other way”. Compliance with the feedback is not mandatory. Disclaimer: completely different industry.

Anonymouse says:

GDPR mistakes

Just to mention that as well as the 27 EU states that have GDPR there are actually 28 countries that use GDPR – the UK has pretty much identical rules (at least at the moment). And in possibly even worse news if it is just Ireland that applies a penalty for all of the EU then the UK will almost certainly have to step in and apply the same penalty in addition to the EU penalty.

JoeCool2 (profile) says:

He's a Genius!

(Reminder: Penalties under the regulation can scale up to 4% of annual global turnover — so these are not rules a normal CEO would ignore.)

See? This is the genius that is Elon! He knows Twitter’s global turnover for the foreseeable future is going to be negative, which means that any fines will also be negative: i.e., they will be paying him! Pure Genius!!

Anonymous Coward says:

“but it still seems highly questionable that the company would allow Irish regulators “to insert… feedback and exert influence over product development.”

It isn’t the regulators providing feedback. It is Twitter’s Irish subsidiary and its board providing feedback. That allows them to say that substantial control about Twitter’s product development is being exerted in Ireland and therefore the Irish regulator has OSS jurisdiction.
This is a thing EU regulators like. They want people in their jurisdiction involved in the decision making and therefore available to take responsibility.

Thad (profile) says:

Re:

It does business in the EU.

While an international corporation can incorporate in a particular nation for strategic reasons — Ireland for the tax policy, for example — it’s not some kind of “get out of jail free” card where you don’t have to follow any of the laws in any of the other countries you operate in.

Thad (profile) says:

Re: Re: Re:

India makes a law and everyone demands they not follow it.
The eu makes a law and everyone demands they follow it.

Well, okay, two things.

One, that’s a fucking strawman. “Everyone” is not “demanding” that Twitter follow EU law; if you’ll read the article at the top of the page, you’ll find that Mike is pretty critical of the EU regulations Musk is required to follow. He isn’t endorsing them, he’s merely acknowledging the reality that if Twitter does not follow the law in a region it operates in, it will be sanctioned by the legal authorities in that region. That’s not an endorsement of the law, nor a “demand”, it’s a statement of fact.

Second, the statement “India makes a law and everyone demands they not follow it. The eu makes a law and everyone demands they follow it.” implies that “law” is a standard unit of measurement and that the content of one law is equivalent to the content of any other law. This is, of course, preposterous. You can’t just yadda-yadda what the law is.

If India passes a law and someone opposes it, and the EU passes a law and that same person supports it, I’m gonna go out on a limb and assume that the reason they oppose the Indian law isn’t that it’s India, and the reason they support the EU law isn’t that it’s Europe.

LostInLoDOS (profile) says:

Re: Re: Re:2

I’m gonna go out on a limb and assume that the reason they oppose the Indian law isn’t that it’s India, and the reason they support the EU law isn’t that it’s Europe.

I didn’t say, or imply, it was who made the law. I clearly stated it was the law and not the country/organisation: “Sounds to me like choosing laws ‘you’ like.”
That’s clearly what this boils down to.
Again, the EU has zero control or authority over a U.S. company. Unless thy did some sort of thievery in not paying taxes to the US government by registering in another country.

Btw: the straw man fallacy. “Everyone” is a generic generalisation in regular use. Meaning a vocal group of countable size.
I doubt many of those who make such “straw man” statements fail to even know where the terminology comes from!

mrschaosmanor (profile) says:

Musk's jawdropping cluelessness

is extremely well illustrated by his comment recently that he didn’t believe the consent decree his company operates under applies because the agreement to obey that decree was made “under duress”.

(picks jaw up from floor)

He is conflating law enforcement and government regulatory supervision with FREE CONTRACTUAL NEGOTIATIONS, as though governments and laws have NO authority over Twitter and cannot REQUIRE they do anything in order to be allowed to stay in business.

In other words, Musk has declared he and his company to be supremely outside ANY accountability and will do only as they please. His position implied here is that the company is supposedly bound ONLY by commitments “freely agreed to without a threat of negative consequences”.

It’s a billionaire’s attitude, no question, but an uniquely naive and clueless one! And even more so when one realizes that even those “freely made” agreements cannot be policed by ANYONE, as far as Musk is concerned, other than…. himself.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...