X Faces GDPR Heat Over AI Training on 60 Million European Users’ Data
European privacy advocacy organization NOYB has recently lodged a complaint with EU regulators against Elon Musk’s social media platform, X/Twitter, accusing it of violating users’ privacy rights. The complaint centers on X’s use of personal data from over 60 million European users to train the large language model, Grok, without obtaining explicit user consent.
Grok, a product developed by Musk’s artificial intelligence research company xAI, primarily sources its training data from X. The model can also query real-time content updates on X, such as newly posted tweets from users.
NOYB, a European non-profit privacy advocacy group, is dedicated to overseeing the enforcement of digital rights and data protection laws, particularly the GDPR (General Data Protection Regulation). Over the past few years, NOYB has successfully filed multiple complaints against tech giants like Apple, Google, Amazon, and Meta, leading to fines or mandated corrections for GDPR violations.
In July 2024, X introduced a new data control feature, allowing the use of users’ posts and interactions with Grok, including inputs and outputs, for training and fine-tuning. By default, xAI uses user data for training.
Ireland’s Data Protection Commissioner (DPC), the primary data regulator in Europe, has also taken notice of this issue. Following discussions with X, the company agreed to suspend processing the personal data of European users until September.
However, NOYB believes the DPC’s investigation is insufficient, merely proposing a temporary delay in data usage as a mitigation measure. Consequently, NOYB has decided to directly file a complaint with EU regulators, urging a thorough investigation.
For X, the current situation dictates that it must refrain from using European users’ data to avoid clear violations, lest it risk substantial fines and required corrections imposed by the EU—a scenario that would be more costly than beneficial for X.
In the future, xAI and X may choose to exclude data from EU users or switch to an opt-in system, where users voluntarily provide their data, thus avoiding regulatory violations.
