It’s going to be a terrible, bad, really bad month for the company formerly known as Twitter. Elon Musk’s X just received its first complaint from the European Union for allegedly violating the bloc’s Digital Services Act, an online governance and content moderation rule that imposes fines of up to 6% of annual revenue for confirmed violations.
But that’s not the only high-level decision that hasn’t gone well for Musk recently. Earlier this month, TechCrunch reported that X was found to have violated multiple provisions of the DSA and the blockchain’s General Data Protection Regulation (GDPR), a pan-EU privacy framework that carries fines of up to 4% of annual revenue, following a legal action brought by an individual after X shadowbanned his account.
X has long been accused of arbitrary shadowbanning — a particularly outrageous charge for a platform that claims to support free speech.
PhD student Danny Mekic took action after discovering that X had placed visibility restrictions on his account in October of last year. The company imposed the restrictions after he shared a news article about a legal area he was researching in relation to a proposal for Bloc to scan citizens’ private messages for child sexual abuse material (CSAM). X failed to notify him that it had shadow-banned his account, which is one of the issues the lawsuit focuses on.
Mekichi was unaware that his account had been restricted until a third party contacted him, saying that he could no longer see his replies and that his account was no longer found in search recommendations.
After attempts to contact X directly to resolve the issue failed, Mekić brought a series of legal actions against X in the Netherlands under the EU small claims procedure. In the lawsuits, he alleged that X had violated key elements of the DSA, including by failing to provide a contact point for complaints (Article 12) and failing to give reasons for the restrictions placed on his account (Article 17).
Mekichi is a premium subscriber to X, so he sued the company for breach of contract.
First of all, after realizing he had been shadowbanned, Mekić asked X for information about how it had processed his personal data. He made this data access request in reliance on the GDPR. The regulation gives people in the EU the right to request a copy of information held about them, so when X failed to provide him with the personal information he requested, he had grounds to file a second lawsuit: a claim for violation of the bloc’s data protection rules.
In the DSA case, the court ruled on July 5 that X’s Irish subsidiary (still called Twitter in practice) had breached its contract and ordered it to pay Mekić compensation for the period of time he was unable to use its services (a mere $1.87, but the principle is priceless).
The court also ordered X to provide Mekić with contact details so he could file a complaint with the company within two weeks, or face a fine of €100 per day.
Mekić also won the DSA Section 17 complaint because the court agreed that X had to send him a written statement explaining why it shadowbanned his account. Instead, he had to take the company to court to learn that an automated system had restricted his account after he shared a news article.
“I’m excited about that,” Mekić told TechCrunch. “There was a huge argument in court. Twitter said that DSAs were not proportional and that shadowbanning entire accounts did not fall under the DSA mandate.”
Even more serious is that the court ruled that X's general terms and conditions violate the EU's Directive on unfair terms in consumer contracts.
Mekić has won another series of victories in a GDPR case, which the court ruled on July 4. This case concerns the aforementioned right of access to data, but also Article 22 (automated decision-making), which states that data subjects must not be subject to decisions based solely on automated processing that are lawful or have significant effects.
The court agreed that X’s shadowban had a significant impact on Mekić, finding that it had affected his professional visibility and potentially his employment prospects. The court therefore ordered X to provide meaningful information about the automated decision-making as required by law, as well as other personal data that X had previously withheld (as requested under GDPR data access rights), within one month.
If X continues to violate these data protection rules, the company faces fines of up to €4,000 per day.
X was also ordered to pay Mekichi's costs for both incidents.
While the two rulings only concern individual complaints, they could have broader implications for enforcement of the DSA and GDPR against X. The former is only just getting underway, as we saw today, as X was hit in the first stage of its preliminary breach investigation. But privacy campaigners have been warning for years that GDPR is not being properly enforced on major platforms. And the strategic role that core data protections should play in driving platform accountability is still far weaker than it could or should be.
“Filing the claim was a last-ditch effort to clarify and remove my unfair shadowban,” Mekić told TechCrunch. “And of course, I hope Twitter improves its compliance with its legal transparency obligations and low-threshold contact requirements.”
“The European Commission seems very busy with the DSA investigation. So far, with regard to Twitter, the Commission seems to be focusing mainly on more stringent content censorship. My appeal to the Commission is to also keep in mind the other side: platforms should not be excessive in their opaque content censorship practices,” he also told us.
“I think there's a simpler solution: curbing the algorithms of social media like Twitter, which are designed to maximize engagement and revenue, and revert to the chronological timelines of the heyday of Twitter and other social media platforms.”
While X is designated a Very Large Online Platform (VLOP), meaning the EU itself has a key role to play in enforcing the DSA’s rules, the responsibility for enforcing broader general rules falls to Ireland’s media regulator, Coimisiún na Meán, which is a supervisory authority at the EU member state level.
Enforcement of the EU's flagship data protection regime on Twitter/X is usually handled by another Irish authority, the Data Protection Commission (DPC), which is often criticized for being slow to investigate complaints about Big Tech.
When asked for information on the various long-standing GDPR complaint procedures for X, a DPC spokesperson said they were unable to provide a response by the time of publication.
It is clearly not optimal for individuals to file small claims lawsuits against large platforms to enforce EU-wide law. There needs to be a holistic regulatory oversight system to ensure compliance.
“I would also like to add that I have experienced how much time and effort it takes to fight a case in court,” Mekić said. “Even though theoretically you could do it without a lawyer, you could spend almost a year doing it, while the other side can outsource it to a group of lawyers with an almost unlimited budget and just ignore them in the meantime. In fact, I have never directly contacted anyone on Twitter. They only communicate with me through their lawyers.”
When asked whether the outcome of the two incidents would be enough to end X’s arbitrary shadow bans for all EU users, Mekić said that his success alone would not be enough. That would require regulatory enforcement.
“I hope so, but I don’t think so,” he said. “There’s very little focus on the commercial motivation behind shadowbans. If a user breaks the rules, we can temporarily ban their account. That’s transparent. But it also removes that user’s ad revenue from the platform. Shadowbans are a solution to that. Users don’t know anything and they continue to engage with the platform and generate ad revenue.”
“It would be brave for social media platforms to stop shadow banning and only impose restrictions that are transparent and appealable to users, but doing so would likely result in a loss of revenue. We hope Twitter will set a good example for other platforms and be transparent with users about account restrictions as required by the DSA. This will require platforms to put their commercial intent second,” Mekić said.
“It’s surprising that the commission has not uncovered anything about the massive shadowbanning practice that is happening every day, on a massive scale, and is easier to prove than what we’re focusing on now,” he added.
X was asked to respond to the verdict.
