If X continues to violate Europe’s data protection rules, the company is on the hook for fines of up to €4,000 per day.
© 2024 TechCrunch. All rights reserved. For personal use only.
It’s shaping up to be a terrible, no good, really bad news month for the company formerly known as Twitter. Elon Musk’s X has just been hit with a first clutch of grievances by the European Union for suspected breaches of the bloc’s Digital Services Act — an online governance and content moderation rulebook that features penalties of up to 6% of global annual turnover for confirmed violations.
But that’s not the only high level decision that hasn’t gone Musk’s way lately. TechCrunch has learned that earlier this month X was found to have violated a number of provisions of the DSA and the bloc’s General Data Protection Regulation (GDPR), a pan-EU privacy framework where fines can reach 4% of annual turnover, following legal challenges brought by an individual after X shadowbanned his account.
X has long been accused of arbitrary shadowbanning — a particular egregious charge for a platform that claims to champion free speech.
PhD student Danny Mekić took action after he discovered X had applied visibility restrictions to his account in October last year. The company applied restrictions after he had shared a news article about an area of law he was researching, related to the bloc’s proposal to scan citizens private messages for child sexual abuse material (CSAM). X did not notify it had shadowbanned his account — which is one of the issues the litigation focused on.
Mekić only noticed his account had been impacted with restrictions when third parties contacted him to say they could no longer see his replies or find his account in search suggestions.
After his attempts to contact X directly to rectify the issue proved fruitless, Mekić filed a series of legal claims against X in the Netherlands under the EU Small Claims process, alleging the company had infringed key elements of the DSA, including failing to provide him with a point of contact (Article 12) to deal with his complaints; and failing to provide a statement of reasons (Article 17) for the restrictions applied to his account.
Mekić is a premium subscriber to X so he also sued the company for breach of contract.
On top of all that, after realizing he had been shadowbanned Mekić sought information from X about how it had processed his personal data — relying on the GDPR to make these data access requests. The regulation gives people in the EU a right to request a copy of information held on them, so when X failed to provide the personal information requested he had grounds for his second case: filing claims for breach of the bloc’s data protection rules.
In the DSA case, in a ruling on July 5 the court found X’s Irish subsidiary (which is actually still called Twitter) to be in breach of contact and ordered it to pay compensation for the period Mekić was deprived of the service he had paid for (just $1.87 — but the principle is priceless).
The court also ordered X to provide Mekić with a point of contact so he could communicate his complaints to the company within two weeks or face a fine of €100 per day.
On the DSA Article 17 complaint, Mekić also prevailed as the court agreed X should have sent him a statement of reasons when it shadowbanned his account. Instead he had to take the company to court to learn that an automated system had restricted his account after he shared a news article.
“I’m happy about that,” Mekić told TechCrunch.“There was a huge debate in the courtroom. Twitter said the DSA is not proportional and that shadowbans of complete accounts do not fall under DSA obligations.”
As a further kicker, the court deemed X’s general terms and conditions to be in breach of the EU’s Unfair Terms in Consumer Contracts Directive.
In the GDPR case, which the court ruled on on July 4, Mekić chalked up another series of wins. This case concerned the aforementioned data access rights but also Article 22 (automated decision making) — which states data subjects should not be subject to decisions based solely on automated processing where they have legal or significant effect.
The court agreed that the impact of X’s shadowban on Mekić was significant, finding it affected his professional visibility and potentially his employment prospects. The court therefore ordered X to provide him with meaningful information about the automated decision-making as required by the law within one month, along with the other personal information X has so far withheld, which Mekić had requested under GDPR data access rights.
If X continues to violate these data protection rules, the company is on the hook for fines of up to €4,000 per day.
X was also ordered to pay Mekić’s costs for both cases.
While the pair of rulings only concern individual complaints, they could have wider implications for enforcement of the DSA and the GDPR against X. The former is — as we’ve seen today — only just gearing up, as X gets stung with a first step of preliminary breach findings. But privacy campaigners have spent years warning the GDPR is being under-enforced against major platforms. And the strategic role core data protections should play in driving platform accountability remains far weaker than it could and should be.
“Bringing the claims was a final attempt to clarify my unjustified shadowban and get it removed,” Mekić told TechCrunch. “And, of course, I hope Twitter’s compliance with legal transparency obligations and low-threshold contact will improve to make it even better.”
“The European Commission seems to be very busy with investigations under the DSA. So far, regarding Twitter, the Commission seems to focus mainly on stricter content moderation. My appeal to the Commission is also to be mindful of the flip side: platforms should not overreach in their non-transparent content moderation practices,” he also told us.
“If you ask me, there is a simpler solution, namely, to curb algorithms on social media such as on Twitter, which are designed to maximise engagement and revenue and to bring back the chronological timelines of the heyday of Twitter and other social media platforms as standard.”
While the EU itself has a key role in enforcing the DSA’s rules on X, as is designated as a very large online platform (VLOP), its compliance with the wider general rules falls to a European member state-level oversight body: Ireland’s media regulator, Coimisiún na Meán.
Enforcement of the EU’s flagship data protection regime on Twitter/X typically falls to another Irish body, the Data Protection Commission (DPC), which is routinely accused of dragging its feet on investigating complaints about Big Tech.
Asked for information about its enforcement of various long-standing GDPR complaints against X, a spokesperson for the DPC said it could not provide a response by the time of publication.
Individuals bringing small claims against major platforms to try to get them to abide by pan-EU law is clearly suboptimal; there’s supposed to be a whole system of regulatory supervision to ensure compliance.
“On a side note, I did experience how much time and effort it takes to litigate in court,” said Mekić. “Despite the fact that in principle it can be done without a lawyer. Even so, you spend almost a year on it while the other party can outsource it to a battery of lawyers with near-infinite budgets and just ignore it in the meantime: indeed, I have never had direct contact with anyone from Twitter, they only communicate with me through lawyers.”
Asked whether he’s hopeful the outcome of his two cases will bring an end to X’s arbitrary shadowbanning for all EU users, Mekić said he doesn’t think his own success will be enough — regulatory enforcement is going to be needed for that.
“I hope so, but I’m afraid not,” he said. “There is little focus on the commercial motives behind shadowbans. If a user breaks a rule, you could temporarily block their account. That is transparent. But that also removes that user’s ad revenue for the platform. Shadowbans are a solution for that: the user is unaware of anything and continues to engage with and generate advertising revenue for the platform.”
“It would be a brave decision by social media platforms to stop applying shadow bans and only impose transparent, contestable restrictions on users. But that will presumably lead to loss of revenue. I hope Twitter will set other platforms a good example and inform users transparently about account restrictions, as required by the DSA. To do so, platforms do need to put their commercial intentions second,” said Mekić.
“It does surprise me that the Commission has not identified anything about the large-scale shadowbanning practices that users do not receive notifications about,” he added. “It happens daily on a large scale and is easier to prove than what they are focusing on now.”
X has been contacted for a response to the rulings.
Leave a Reply