by X, the social media platform owned by Elon Musk, is under scrutiny after it was discovered that the company used data from European Union users to train its Grok AI chatbot without obtaining their consent. This revelation has sparked nine privacy complaints across multiple EU countries, including Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Poland, and Spain.
The complaints stem from the discovery of a setting on X indicating that the platform had started processing the post data of EU users to train its AI models. This move came to light in late July, prompting concerns from the Irish Data Protection Commission (DPC), which oversees X’s compliance with the EU’s General Data Protection Regulation (GDPR). The GDPR mandates that personal data processing requires a valid legal basis, typically user consent, which X allegedly failed to obtain.
Max Schrems, chairman of the privacy rights organization noyb, which is supporting the complaints, criticized the DPC’s enforcement efforts, emphasizing the need for X to fully comply with EU law. Schrems highlighted that users were not given a straightforward option to consent to or opt out of their data being used for AI training, a requirement under the GDPR.
In response to the discovery, the DPC has initiated legal action in the Irish High Court to stop X from continuing this data processing. However, noyb argues that this response is inadequate, noting that there is no way for users to request the deletion of data already used in AI training.
The complaints contend that X’s reliance on “legitimate interest” as a legal basis for the AI-related data processing is inappropriate and that user consent is required. This follows a similar case where Meta paused its plan to use user data for AI training after facing GDPR complaints.
The controversy highlights the importance of GDPR protections in preventing the misuse of personal data, particularly in unexpected ways that could impact users’ rights and freedoms.
Musk will get what he wants anyways.