Midway through last year, Twitter moved data control for all non-EU citizens to Ireland in the EU. Twitter then declared its subsidiary, ‘Twitter International Company’ to be a data controller in the EU for all non-US citizens. This brought it under EU Data Protection law.

A few weeks ago on 30/01/2016, a French man won a case in a Paris appeals Court that he could sue Facebook for suspending him,

The Witchfinder comments on how users can use EU law to assert their rights on Twitter.

So last week I was suspended from Twitter. All of my accounts were simultaneously suspended. There was no explanation – no ‘you are a spammer / meanie / aggressive follower’. I assumed the most likely reason was my article criticising Motherboard Associate Editor Sarah Jeong for doxing a rape victim, although this later turned out to be incorrect when they finally did give reasons.

Annoyed, I started to look up the applicable law. At first I despondently thought it would be California law – readers will recall my dispute with the Block Bot last year. They said they were immune because Twitter held its servers in the US.

Much to my surprise, I discovered that Twitter, per its privacy page (archive here, further archive here) moved its operations for all non-US people to Ireland and declared a data controller in April 2015. Twitter’s Irish subsidiary ‘Twitter International Company’ (TIC) is the data controller. When you use Twitter in the EU, according to its terms you are contracting with TIC and for most people this will be a consumer contract.

This is HUGE. EU law puts draconian obligations on Data Controllers like TIC and is incorporated in Irish law in a Data Protection Act almost identical to the UK one. Want to know why you were suspended? Put in a ‘subject access’ request. In the EU, all Data Controllers are required to allow users to obtain their own personal data.

If you write to Twitter and make a subject access request, it must provide copies of all its records on you within 40 days. More importantly, it must explain how your data is processed. Data Protection Law is the same throughout Europe because it is based on a European Directive that has been incorporated into EU law by each member state. In Ireland it is the Data Protection Act 1988 (as amended).

Worse (for multinational companies), a European Court recently held that if a company has a permanent representative in your country you can sue for Data Protection breaches in the Courts of your own country.

As Twitter did not seem to have a clear Subject Access process, I contacted the Irish Data Protection Commissioner. A spokesperson said,

“Companies are not in fact required to have Subject Access Request Policies in place, but are obliged to comply with any Subject Access Requests made to them.”

So I made a subject access request. I wrote a polite letter to Twitter’s General Counsel. I asked them to review the suspension or if not, turn over all records they had on me (including disciplinary records) and details of how they process sensitive information. In EU law Data Controller have to tell you if they are processing data about race, gender and / or political belief. That means filtering hashtags or users like Milo Yiannopoulos (@Nero).

Responding to subject access requests, Twitter is allowed to charge a fee of up to €6.35. The law allows Twitter to redact the names of third parties like anyone who complained about you and also its staff. However, it cannot redact what they said unless one of several narrow exceptions applies (for example, law enforcement – but that means actual law enforcement not ‘harassment’).

You are also allowed to ask how your data is used. For example, “Can you please tell me if you are using algorithms or otherwise tracking the use of hashtags like ‘#GamerGate’ or ‘Nyberg’?”

EU law requires that data be processed ‘fairly’, and all EU laws are interpreted in line with the European Convention on Human Rights (ECHR). This applies to decisions about bans. In particular, data about political opinions is ‘sensitive’, and more restrictions apply. Data must be used for a particular purpose, so the fact it is allowed for one purpose does not make it lawful to use for others.

If a company does not comply or wrongly redacts data with unreasonable excuses then after the time limit expires you can complain to the Irish Data Protection Commissioner, which can levy enormous fines and apply enforcement notices to them. In extreme cases the Commissioner can shut down the company.

Two days later – unsuspended. The explanation? They said it was all a mistake. They claimed that they had thought my personal, blog and parody account have overlapping use cases.

OVERLAPPING USE CASES? There are users on Twitter who openly admit to being attracted to children. There are jihadis. There is ISIS. PRIORITIES, PEOPLE! Even so they unsuspended me so I thought – why not let bygones be bygones?

The next day they suspended me again. I dropped a letter to their General Counsel and it was dealt with that working day. Unsuspended – and the same purported reason.

I just thought … how unprofessional. What if I was a business owner and my livelihood depended on this? The blog is non-profit but imagine if a business phone line was cut off without warning or even an explanation of what had been done wrong, and replaced by a vague, ominous automated message saying the business user had been suspended for some ‘breach of rules’.

Twitter had also at the same time suspended an API key I had made for my research application, Malleus Twitter. At this point I decided I was disgusted by the whole thing. I decided as I set out in my previous article that I no longer wished to use Twitter – at least for the immediate future. I renamed and deactivated my accounts. The traffic has been declining anyway as other users become equally disgusted.

Data Protection aside, Europe has powerful, Europe wide consumer laws. These typically allow consumers to enforce consumer contracts in their own local courts and prohibit unfair terms. It may not be obvious to some people, but the relationship between Twitter users and consumers is a contract.

One common type of unfair term is called a ‘Choice of Law’ clause. For example, both Facebook and Twitter make you agree to a term that your contract is governed by the laws of California. Putting this into context, if you use Twitter in England, you are contracting with an Irish company. How can it be reasonable to apply the laws of California?

Unfortunately for companies like Twitter, numerous consumer laws apply to override their questionable terms. For example, section 74 of the UK Consumer Rights Act 2015, says –

“74 Contracts applying law of non-EEA State

(1) If —

(a) the law of a country or territory other than an EEA State is chosen by the parties to be applicable to a consumer contract, but

(b) the consumer contract has a close connection with the United Kingdom,

this Part applies despite that choice.”

Section 62 says this –

“62 Requirement for contract terms and notices to be fair

(1) An unfair term of a consumer contract is not binding on the consumer.

(2) An unfair consumer notice is not binding on the consumer.

(3) This does not prevent the consumer from relying on the term or notice if the consumer chooses to do so.

(4) A term is unfair if, contrary to the requirement of good faith, it causes a significant imbalance in the parties’ rights and obligations under the contract to the detriment of the consumer. […]”

So all the sections in Twitter’s terms about being allowed to ban you for no reason? Ink on a page.

Given Twitter’s far from transparent approach to conduct issues, I suggest that any aggrieved EU users write to them to exercise their subject access rights. This is especially important if any account you own has been unfairly suspended. (Obviously, if you did in fact do something serious like sending death threats, not such a good idea).

A model email follows, which should be sent to privacy@twitter.com and copied by letter (standard postage) to Data Controller, Twitter International Company, 42 Pearse Street, Dublin 2, Dublin, Ireland. Use the email associated with your account to avoid any identity holdups.

As a minor issue, it would also be nice if everyone would report Sarah Jeong. This author finds it incredible she is still allowed on Twitter and it underlines the emptiness of their comments on ‘Trust and Safety’.

I suggest this –

“[Your Address]

[Phone]

[Email]

[Date]

Dear Sir or Madam,

Subject Access Request – @[AccountName]

I am a Twitter user under the account name @[AccountName]. My account was was suspended on [X] and have been given no adequate reason. I hereby make a subject access request pursuant to the Data Protection Act 1988, Ireland.

Please provide all information about my account, including the reason for my suspension. It is not enough to provide a mere vague category of offence, please provide all information you hold on the reasons.

I quite understand if you wish to redact the identities of staff or any complainants because it is not my intention to use this response for retaliation.

I am especially concerned to read other users suggesting that Twitter is processing sensitive information like political belief. The Act requires you to explain how data is being processed, so please confirm whether you are processing political data like hashtags.

I would also like to express my disgust at the fact that @SarahJeong is allowed to use your platform in light of her behaviour, which as you are aware included doxing a rape victim. Her continued presence casts doubt on the character of Twitter and its senior staff and makes your claims to care about safety or respect ring hollow.

Kind regards,

[Real Name]”