Tweeting Beyond Borders: Can Foreign Governments Compel Twitter to Release Private Data?

CAITLYN CULLEN—On October 28, Brazilians elected right-wing nationalist Jair Bolsonaro as their next president. Bolsonaro secured nearly 55% of Brazilians’ votes with a campaign that was heavily centered on his social media presence. Election results were met with a wave of both celebration and protest across the country, which comes as no surprise given the divisive political atmosphere and contentious weeks leading up to the final election. At a campaign rally in early September, Bolsonaro was stabbed by a left-wing activist who vehemently opposed Bolsonaro’s views. In the hours after the attack, reactions to the stabbing were the top five hashtags trending on Twitter in Brazil, ranging from condemnation of violence to suggestions that Bolsonaro brought the fate on himself with his own caustic rhetoric. Among these Twitter users, sixteen praised the assailant for the life-threatening attack. In response, a Brazilian court has ordered Twitter to  turn over the user-data of those sixteen users to aid law enforcement in identifying them. These users could potentially face hate crime charges if identified. After its appeal was rejected, Twitter refused to disclose the data and it remains unclear whether it has yet done so.

Embed from Getty Images

This is not the first time that Twitter’s data privacy policies have been challenged by courts, nor is it likely to be the last as social media and tech giants like Facebook and Google grapple with European data security challenges of GDPR regulations.  Last November, the Ireland Data Protection Commission launched an investigation into the data privacy policies of Twitter after a consumer filed a complaint that Twitter would not release certain data about his account. The claimant, a privacy and technology researcher at University College of London, claims that the GDPR gives him rights to any metadata he generated by clicking links on Twitter.  Under the GDPR Rules, E.U. citizens have the right to access any personal data held about them, understand how it is processed, and demand the company rectify inaccurate information or remove it. Businesses must comply promptly “unless this is deemed to require a disproportionate effort”. Twitter provided the user with his list of contacts and direct messages, but refused to disclose the metadata, claiming it “would require disproportionate effort” to produce. With Dublin as the E.U. headquarters for Twitter, Facebook, and Google, Irish authorities’ decision on how to handle this claim will likely be influential on social media policy, not just in the E.U., but for tech companies’ policies overall.

As social media and technology connect users across the globe, the question of how foreign states regulate internet policies beyond their borders becomes ever more salient . When faced with the issue of what data it must disclose and to whom, can Twitter have an all-encompassing global policy or is a policy tailored to each unique jurisdiction in which it operates more appropriate? With a wide range of laws, values, and consumer rights in different countries, it is unlikely that Twitter could create a policy that complies with every jurisdiction. Rather, it is more likely that it will make the strategic choice of creating a policy that complies with its most lucrative regions of operation and try to push legal battles with less lucrative nations into its preferred jurisdiction. If that is unsuccessful, Twitter can then evaluate its best course of action on a case-by-case basis.

As a web-based service, the ability to access the internet in any given country defines the size of Twitter’s potential market there; 76% and 80% of the U.S. and E.U. populations, respectively, have internet access, while only 60% of Brazilians have internet access. Coincidentally, Twitter has complied with 77% of the roughly 1,800 government requests for user data in the U.S., over 60%. of the requests from E.U. countries, but a mere 27% of the requests in Brazil.

The rights of E.U. citizens under the GDPR Rules, which “apply regardless of where the data lands . . . [even] when data is transferred to a country which is not a member of the E.U.,” suggest a global policy is the most efficient way Twitter can remain compliant with E.U. regulations without having to track the citizenship of each individual user and location from which they are operating (a gargantuan administrative task, no doubt). Twitter directs all government requests to its U.S. headquarters or European headquarters and requires all government requests from foreign countries to comply with Mutual Legal Assistance Treaties. This implies Twitter does not consider Brazilian law applicable directly, but only indirectly if Brazil (1) has such a treaty, and (2) uses the treaty’s procedures to make Brazilian court orders enforceable in the U.S. or E.U..

The U.S. and Brazil have a Mutual Legal Assistance Treaty that would allow a U.S. court to serve the required legal documents on Twitter under 18 U.S.C. § 3512. However, the Code only allows a judge to issue a warrant for a foreign offense that would be considered a crime punishable by at least 1 year imprisonment if committed in the United States. The sixteen aforementioned tweets raise issues with freedom of expression. Brazil’s constitution provides for freedom of expression, but has considerable restrictions for hate speech, including a provision that criminalizes “disrespecting of public officials.” Though the sixteen tweets might implicate Brazilian criminal law, one need not stretch their memory beyond recent political campaigns to realize the immense protections of freedom of speech under the First Amendment and conclude disrespect of public officials is not a crime in the U.S..

For now, it seems Twitter’s data privacy policy favors protection from government surveillance unless the laws of the U.S. or E.U. require disclosure, but it remains to be seen how data privacy policies will evolve as people around the world become increasingly interconnected by technology.