EU Targets X for Training Grok With Unconsented User Data

Social media platform X is being targeted with privacy complaints in the European Union. X allegedly used posts made by European users to train its AI models without consent.

TechCrunch reported that X ordeal started last month after a user found a setting that indicated that the social media giant was quietly processing regional user data to train its AI chatbot, Grok.

GDPR Compliance

The revelation came as a big surprise to the Irish Data Protection Commission (DPC), the government watchdog that leads oversight on compliance with the EU General Data Protection Regulation (GDPR).

GDPR allows for sanctioning of confirmed infringements. Under this law, use of personal data must have a valid legal basis. X could face fines of up to 4% of its global annual turnover if the allegations of data privacy breach are confirmed.

At least nine data privacy complaints against X have been filed with data protection authorities in Belgium, Austria, Greece, France, the Netherlands, Ireland, Poland, Italy, and Spain. The DPC has already instigated legal action against X at the Irish High Court. The Commission is seeking an injunction to compel the social media platform to stop using user data.

Inadequate Action

However, the privacy rights nonprofit, None of Your Business (NOYB) feels these actions are insufficient. NOYB argues that X users have no way of pushing the social media giant to delete data that has already been ingested.

“We have seen countless instances of inefficient and partial enforcement by the DPC in the past years. We want to ensure that Twitter fully complies with EU law, which at a bare minimum requires asking users for consent in this case,” NOYB chairman, Max Schrems said.

NOYB has escalated privacy complaints against X further by filing lawsuits in Ireland and seven other European countries. In its lawsuits, the privacy lobby group argues that X lacks a valid basis for using data from 60 million EU users to train its AIs without consent.

X relies heavily on the legal basis of legitimate interests. However, privacy experts claim that it must get people’s consent before using their data.

“Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for lots of other things, so it would definitely be possible for AI training as well,” suggested Schrems.

Other Cases

Two months ago, Meta was forced to suspend plans to train its AI models with user data after NOYB took action. The data privacy lobby group used GDPR complaints in the lawsuit against Meta.

The approach used by X to acquire and use private data without consent allows it to stay under the radar for weeks. The DPC says the social media giant had been processing EU user data for AI training between Ma7 and August 1.

X only added a setting on the web version of the platform for users to opt out of the processing in late July. Even with this setting, users can only opt out if they are aware of X AI model training. The GDPR explicitly protects EU users from unexpected use of their information.

NOYB has highlighted the ruling by a top European court in its argument against the legal basis cited by X. In the ruling, judges agreed that a legitimate interest legal basis isn’t valid for such use case, user consent must be obtained.

Related News: Global Advertiser Group Shuts Down After X Ad Boycott Lawsuit