Both Europe’s GDPR and California’s CPPA privacy laws give people the right to ask companies to delete data they hold about them, though there are exceptions to these rules. Furthermore, if someone writes to a company under GDPR and asks it to delete their data, the firm is obliged to reply and, if refusing, explain its reasons why. Veale’s guide suggests using this language to request DM deletion: “I wish for these data to be erased from all systems, including backup systems (on an appropriate schedule).” It further suggests asking only for messages sent by your account to be deleted (not those you have received), and states there’s no obvious reason why Twitter should keep the messages.

Lari Lohikoski, a communications professional and entrepreneur based in Finland, manually deleted his DM conversations after Musk took over Twitter but also decided to request the company delete them from its systems. “I don’t see my direct messages on Twitter’s user interface, but I very much think that they are on their server still,” Lohikoski says. 

Twitter initially replied to his request with a short message advising him to delete his account to get rid of messages, which Lohikoski says is not what was asked for. (In November, the author of this article made a request for Twitter to delete their DMs and received a similar one-line response from Twitter.) Twitter, which no longer has a communications department, did not respond to WIRED’s request for comment. Its policies say: “Once your account is deleted, your account is no longer available in our systems.” It is not clear whether this means the data is deleted entirely, or is unavailable internally.

Lohikoski, who says Twitter doesn’t “seem to respect the GDPR,” complained to Finland’s data regulator and also the Irish data regulator, the body that primarily oversees Twitter in Europe. Veale received a similar message and complained to the Irish regulator as well as the UK’s Information Commissioner’s Office (ICO). TechCrunch has also reviewed complaints about deleting DMs.

The ICO told Veale that Twitter’s response “failed to comply with the requirement of the data protection legislation” as it didn’t reply properly to the request and only provided “general information” about deleting Twitter accounts. The ICO said it would write to Twitter. Companies that don’t follow GDPR rules may be liable for large fines or enforcement action—although it would be rare in this circumstance.

On January 18, Lohikoski says he received a “surprise” email from Twitter. It repeated Twitter’s help center advice about DMs. It did not directly respond to the points made in the initial request. Lohikoski says “this again does not respond to my request.” (The ICO told Veale that Twitter also replied to him around this time; however, it appears to have sent the message to an email address that doesn’t belong to Veale. The ICO told the company to explain how this happened.) An ICO spokesperson says that it is “engaged in dialog” with Twitter’s data protection officer and assessing the impacts of changes to Twitter under Musk. The ICO did not comment on any specifics of complaints about DMs being deleted.