Twitter Risks Investigations and Big Fines

The work of two key teams that Twitter Inc. relied on to comply with regulators abruptly stopped amid a rash of layoffs, resignations and firings, according to two people familiar with the matter. That puts the social media giant at risk of investigations and hefty fines, the people said.

The latest departures heighten concerns that a staff exodus following Elon Musk's takeover will undermine the company's ability to comply with rules intended to protect users' data.

A data governance committee that had overseen Twitter's compliance with a Federal Trade Commission consent decree ceased to exist after two of its members were fired and three others resigned, according to the people. Under the consent decree, Twitter agreed to better protect users' personal data.

The committee was formed in November 2021 and was responsible for overseeing decisions on how user data was collected, accessed and disclosed, according to a post on the company's website at the time. The committee also managed internal compliance with Twitter's privacy policy.

Meanwhile, a board of directors that was responsible for managing Twitter's compliance with the Europe Union's General Data Protection Regulation, or GDPR, ceased operating after Musk fired two of its three members: Vijaya Gadde, the company's top lawyer, and Sinead McSweeney, global vice president for public policy, according to the people. Last month, McSweeney, who is based in Dublin, secured a court injunction preventing Twitter from terminating her employment.

The board of directors carried out a crucial role, reviewing the work of product and engineering teams at Twitter to ensure they didn't violate Europe's complex rules on the transfer and processing of data from EU citizens, according to the people. Members of the board -- two of whom were based in Dublin -- met monthly, the people said.

Instead, Musk has made new product decisions on an ad-hoc basis with no involvement of the board of directors, the people said. Regulators could determine that Twitter's Ireland office no longer has effective oversight over EU citizens' data. If that happened, then any of the 27 EU member states would have the authority to open investigations into Twitter and issue fines, the people said.

Twitter's office in Dublin is its EU headquarters and is designated as the “controller” of European citizens' data for the purposes of GDPR compliance.

Twitter, Gadde and McSweeney didn't respond to requests for comment. Last month, the two remaining employees in Twitter's office in the regulatory hub of Brussels left.

The rash of departures at Twitter has heightened concerns among remaining staff that they could be held liable for FTC violations, prompting a lawyer for Musk, Alex Spiro, to reassure them in a memo that they wouldn't go to jail if the company was found in violation of the FTC decree.

Overall, more than 100 people working on security and privacy teams have left the company since Musk took charge at Twitter in October. That has halved the number of personnel who were responsible for protecting Twitter's infrastructure from cyberattacks and data breaches, according to the people.

Twitter's main EU privacy watchdog said on Monday that it was “very concerned” about the ability of Twitter to abide by EU laws. The Irish watchdog said that it had been in almost daily contact with Twitter's Dublin office after the departure of staff in recent weeks sparked safeguarding fears.

Last month, Twitter's chief information security officer, chief privacy officer and chief compliance officer resigned. Twitter subsequently appointed Renato Monteiro as its interim data protection officer. Monteiro, who is based in Dublin, formerly served as the company's data protection counsel for Latin America. However, Monteiro has had little involvement with product engineering and development teams in the US since his appointment, according to the people familiar with the matter.

Monteiro didn't respond to a request for comment. It's not clear who else, if anyone, may be in charge of Twitter's compliance with the FTC and GDPR.

The dearth of staff has also meant that the company doesn't have enough personnel to oversee the maintenance of about 400 different information security standards, known as ISOs. Individual staff at the company were responsible for maintenance of the standards, which, among other things, ensure that the company is correctly encrypting user data to keep it secure. Compliance with the standards is independently assessed on a biannual basis to ensure the company is meeting the requirements of the FTC's consent decree.

The FTC has said that it was following developments at Twitter with “deep concern.”

Data watchdogs in Europe saw their powers increased overnight in May 2018, when the GDPR took effect and gave them the power to levy fines of as much as 4% of a company's annual sales.