Let's assume that, technically i am able to collect the public information from Twitter (including user's profile and their tweets) from Twitter.
I am wondering, is it legal to sell this data? How about if i wish to share it for free?
I live in Europe, but does the location of this service matter?
The second inferred question is "How does Twitter conform to GDPR?"
See the Twitter GDPR FAQ for details on if Twitter is a data controller or a data processor, how Twitter complies with the legal requirements for transferring data, etc.
Re: the original question regarding scraping and distributing Twitter data:
Read Twitter's Twitter Terms of Service, which is a legally binding contract for use of their service. By using Twitter (or accessing Twitter without an account), you agree to that contract.
Twitter very clearly states what they allow as legal uses of their service; pertaining to scraping and selling and/or sharing data:
You also agree not to misuse our Services, for example, by... (iii) access or search or attempt to access or search the Services by any means (automated or otherwise) other than through our currently available, published interfaces that are provided by Twitter (and only pursuant to the applicable terms and conditions), unless you have been specifically allowed to do so in a separate agreement with Twitter (NOTE: crawling the Services is permissible if done in accordance with the provisions of the robots.txt file, however, scraping the Services without the prior consent of Twitter is expressly prohibited);
...
If you want to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use the Services or Content on the Services, you must use the interfaces and instructions we provide, except as permitted through the Twitter Services, these Terms, or the terms provided for (developers)
So you can scrape Twitter with prior consent, or scrape according to the robots.txt file, which shows Twitter's limits on what you can scrape. If you don't follow the TOS, you risk Twitter taking legal (civil, possibly criminal, according to jurisdiction) action against you.
No, I don't think that it would be legal to sell users' profile without their consent. Even when you sign up for an account on a site, they pledge to protect your data. It would be a breach of privacy to sell information about someone ( where the person lives, his address, his phone number ) without their consent. Especially Europe has become strict in such matters after the European Privacy Law (2018).
Before acquiring a contact list or a database with contact details of individuals from another organisation, that organisation must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may use it for advertising purposes. For example, if the organisation acquired it based on consent, the consent should’ve included the possibility to transmit the data to other recipients for their own direct marketing.
Your company/organisation must also ensure that the list or database is up-to-date and that you don’t send advertising to individuals who objected to the processing of their personal data for direct marketing purposes. Your company/organisation must also ensure that if it uses communication tools, such as email, for the purposes of direct marketing, it complies with the rules set out in the ePrivacy Directive (Directive 2002/58/EC1).
Such lists are processed on grounds of legitimate interests and individuals will have a right to object to such processing. Your company/organisation must also inform individuals, at the latest at the time of the first communication with them, that it has collected their personal data and that it will be processing it for sending them adverts.
Example Two friends, Mrs. A and Mr. B, run, respectively, a gym and a book shop. Each collects data from their respective customers. Mr. B’s book shop isn’t doing well. His client database has few entries and not many people walk into his shop. He tells Mrs. A that he has a new biography of a famous athlete and asks whether Mrs. A’s clients would be interested in receiving advertising about the book. The terms of Mrs. A’s privacy notice informed her clients that she could share the data with partners offering products in the health and fitness area. As far as specific consent was given for the purpose of transmitting the data to other recipients for their own direct marketing, Mrs. A can send the client list to Mr. B. No data can be sent about an individual who objected to the processing of their personal data.
References Article 4(10) and Articles 5, 6, 14 and 21 of the GDPR EDPB guidelines on Transparency under Regulation 2016/679 ePrivacy Directive 2002/58/EC rules on direct marketing, in particular Article 13 1 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.07.2002 p.37).
