A complaint was lodged directly with the DPC on 2 July 2019 against Twitter International Company (“Twitter”), and accordingly was handled by the DPC in its role as lead supervisory authority. The complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply within the statutory timeframe with an erasure request they had submitted to it. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their erasure request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

The complainant’s Twitter account was suspended as Twitter held that the complainant was in breach of its Hateful Conduct Policy . Once Twitter suspended the account, the complainant sought that all of their personal details, such as email address and phone number, be deleted . They submitted multiple requests to Twitter asking that their data be erased . Twitter asked the complainant to submit a copy of their ID in order to verify that they were, in fact, the account holder . The complainant refused to do so . In the premises, Twitter ultimately complied with the erasure request without the complainant’s photographic ID .

The DPC initially attempted to resolve this complaint amicably by means of its complaint handling process . However, those efforts failed to secure an amicable resolution and the case was opened for further inquiry . The issues for examination and determination by the DPC’s inquiry were as follows: (i) whether Twitter had a lawful basis for requesting photographic ID where an erasure request had been submitted pursuant to Article 17 GDPR, (ii) whether Twitter’s handling of the said erasure request was compliant with the GDPR and Data Protection Act 2018 and (iii) whether Twitter had complied with the transparency requirements of Article 12 GDPR .

In defence of its position, Twitter stated that authenticating that the requester is who they say they are is of paramount importance in instances where a party requests the erasure of their account . It states that unique identifiers supplied at the time of registration of an account (i .e . email address and phone number) simply associate a user with an account but these identifiers do not verify the identity of an account holder . Twitter posited that it is cognisant of the fact that email accounts can be hacked and other interested parties might seek to erase an account particularly in a situation such as this, where the account was suspended due to numerous alleged violations of Twitter’s Hateful Conduct Policy . The company indicated that it retains basic subscriber information in- definitely in line with its legitimate interest to maintain the safety and security of its platform and its users .

Twitter further argued that, as it did not actually collect any ID from the complainant, Article 5 (1)(c) was not engaged . Notwithstanding this, it stated that the request for photo identification was both proportionate and necessary in this instance . It indicated that a higher level of authentication is required in circumstances where a person is not logged into their account, as will always be the case where a person’s account has been suspended .

Having regard to the complainant’s erasure request and the associated obligation that any such request be processed without ‘undue delay’, Twitter set out a timeline of correspondence pertaining to the erasure request between it and the complainant . Twitter stated that the complainant had made duplicate requests and, as such, had delayed the process of deletion/ erasure themselves . Regarding data retention, Twitter advised the DPC that it retained the complainant’s phone number and email address following the completion of their access request . It stated that it retains this limited information beyond account deactivation indefinitely in accordance with its legitimate interests to maintain the safety and security of its platform and users . It asserted that if it were to delete the complainant’s email address or phone number from its systems, they could then use that information to create a new account even though they have been identified and permanently suspended from the platform for various violations of its Hateful Conduct Policy .

Following the completion of its inquiry on 27 April, 2022, the DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR . In its decision, the DPC found that the data controller,

Twitter international Company, infringed the General Data Protection Regulation as follows:

• Article 5(1)(c): Twitter’s requirement that the com-plainant verify his identity by way of submission of a copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR;
• Article 6(1): Twitter had not identified a valid lawful basis under Article 6(1) of the GDPR for seeking a copy of the complainant’s photographic ID in order to process his erasure request
• Article 17(1): Twitter infringed Article 17(1) of the GDPR, as there was an undue delay in handling the complainant’s request for erasure; and
• Article 12(3): Twitter infringed Article 12(3) of the GDPR by failing to inform the data subject within one month of the action taken on his erasure request pursuant to Article 17 of the GDPR .

The DPC also found in its decision that Twitter had a valid legal basis in accordance with Article 6(1)(f) for the retention of the complainant’s email address and phone number that were associated with the account. It also found that, without prejudice to its finding above concerning the data minimisation principle with regard to photo ID, Twitter was compliant with the data minimisation principle as the processing of the email address and phone number data was limited to what was necessary in relation to the purposes for which they are processed .

In light of the extent of the infringements, the DPC issued a reprimand to Twitter International Company, pursuant to Article 58(2) (b) of the GDPR . Further the DPC ordered Twitter International Company, pursuant to Article 58(2) (d), to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so . The DPC ordered that Twitter International Company provide details of its revised internal policies and procedures to the DPC by 30 June 2022 . Twitter complied with this order by the set deadline .