In a statement issued just before Christmas, the Data Protection Commission (DPC) said it had launched an own-volition inquiry pursuant to section 110 of the Data Protection Act 2018 after multiple international media reports said one or more collated datasets of Twitter user personal data had been made available on the internet.

The purported datasets are said to contain personal data relating to approximately 5.4 million Twitter users worldwide. The datasets were reported to map Twitter IDs to email addresses and/or telephone numbers of the associated data subjects.

The statement said: “The DPC corresponded with Twitter International Unlimited Company (TIC) in relation to a notified personal data breach that TIC claims to be the source vulnerability used to generate the datasets and raised queries in relation to GDPR compliance. TIC engaged with the DPC and subsequently furnished a number of responses.

“The DPC, having considered the information provided by TIC regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the Act may have been, and/or are being, infringed in relation to Twitter Users’ personal data.

“Accordingly, the DPC considers it appropriate to determine whether TIC has complied with its obligations, as controller, in connection with the processing of personal data of its users or whether any provision(s) of the GDPR and/or the Act have been, and/or are being, infringed by TIC in this respect.”