When Twitter (TWTR) users put links into tweets, the service applies its own link-shortening service, t.co, to them. Twitter says this allows the platform to measure how many times a link has been clicked, and helps it to fight the spread of malware through dodgy links.

However, privacy researcher Michael Veale, who works at University College London, suspects that Twitter gets more information when people click on t.co links, and that it might use them to track those people as they surf the web, by leaving cookies in their browsers.

As is his right under the new General Data Protection Regulation (GDPR)—the sweeping set of privacy rules that came into effect across the EU in May—Veale asked Twitter to give him all the personal data it holds on him.

The company refused to hand over the data it recorded when Veale clicked on links in other people’s tweets, claiming that providing this information would take a disproportionate effort. So, in August, Veale complained to the Irish Data Protection Commission (DPC), which on Thursday told him it was opening an investigation. As is common with big tech firms, Twitter’s European operations are headquartered in Dublin, which is why Veale complained in Ireland.

“The DPC has initiated a formal statutory inquiry in respect of your complaint,” the watchdog said in a letter to Veale. “The inquiry will examine whether or not Twitter has discharged its obligations in connection with the subject matter of your complaint and determine whether or not any provisions of the GDPR or the [Irish Data Protection] Act have been contravened by Twitter in this respect.”

The regulator also said the complaint was likely to be handled by the new European Data Protection Board—a body that helps national data protection authorities coordinate their GDPR enforcement efforts—as Veale’s complaint “involves cross-border processing.”

When Twitter told Veale that it would not hand over the data it held on his tracking via t.co links, it claimed the GDPR allowed it to do so on “disproportionate effort” grounds. However, Veale said Twitter was misinterpreting the text of the law, and that this exemption cannot be used to limit so-called access requests, such as the one he made.

This appears to be the first GDPR investigation to be opened in relation to Twitter. Veale recently prompted a similar probe into Facebook, again over a refusal to hand over data held on users’ web-browsing activities, but Facebook (FB) was already the subject of multiple GDPR investigations.

“Data which looks a bit creepy, generally data which looks like web-browsing history, [is something] companies are very keen to keep out of data access requests,” said Veale.

The researcher said Twitter was definitely recording the times at which users clicked on links, and probably also information about the kinds of device they were using. He added that it was technically possible for Twitter to determine the user’s rough location—Twitter’s privacy policy says advertisers might collect IP addresses when people click on their links—but it was unclear what Twitter did with the information it harvested through its t.co service.

“The user has a right to understand,” Veale said.

If companies are found to be breaching the terms of the GDPR, they face fines of up to €20 million ($23.2 million) or up to 4% of global annual revenue, whichever is bigger. Twitter’s 2017 revenues totalled $2.4 billion, so in theory a GDPR fine could run to $96 million for the company—though this would require the Irish DPC to decide the offense was particularly egregious.

Twitter declined to comment on the investigation.