Anika Begay
Elon Musk’s X has been taken to court in Ireland for using Europeans’ data to train AI models, RTE reported on Tuesday night. The development is related to the social media platform’s decision last month to process user data to train its “Grok” AI model without notifying people or asking them if they agreed.
Last month, the Irish Data Protection Commission (DPC) told TechCrunch that it was “surprised” by X’s move. It also said it was “following up” to seek more information.
The pan-EU General Data Protection Regulation (GDPR) requires any processing of individuals’ data to have a valid legal basis. Breaches of the regime can result in fines of up to 4% of global annual turnover, so any confirmed non-compliance could end up being costly for X. Specifically, the DPC is suing X under the Irish Data Protection Act 2018, per RTE.
According to RTE, the DPC is seeking an injunction against Twitter International (the company’s Irish arm is still called that) over concerns about its processing of user data to train its AI model. The watchdog told RTE it is taking action because it believes the matter poses an urgent risk to users’ rights and freedoms.
The Irish broadcaster’s report suggests that the DPC intends to refer the matter to the European Data Protection Board (EDPB), an independent supervisory body established under the GDPR that has the power to issue guidance on how to apply the pan-European regulation.
Contacted for questions on Wednesday, the DPC declined to comment further on the lawsuit.
“With regard to the matter that was brought before the courts yesterday, August 6, the DPC has not made any comment at this point and it would be inappropriate to do so until the matter has been addressed by the court,” Deputy Director of Communications Risteard Byrne told TechCrunch.
GDPR requires any processing of personal data to have an appropriate legal basis. That means the legal basis must be appropriate for the use case — in this case, privacy experts believe X should obtain user content to reuse their public posts to train its AI models. Instead, X quietly began harvesting user information last month, only allowing users to opt out with a hidden option in their web settings. Users have also not been informed by X that it is using their data to train Grok.
Meta, which owns Facebook and Instagram, put a similar move to repurpose user data for AI training on hold in June, following GDPR complaints and regulatory pressure, including from the DPC. However, Musk’s company appears to have been less cooperative with privacy regulators, hence the DPC’s request for a High Court injunction.
RTE reported that the DPC is seeking orders including one to “suspend, restrict or prohibit the defendant from processing the personal data of X users for the purposes of developing, training or improving any machine learning, big language or other artificial intelligence systems used by Twitter.”
According to RTE, the DPC is also concerned about X’s plan to launch the next version of Grok this month, which is believed to have been trained using personal data from users in the EU and the European Economic Area.
The outlet reported that Twitter International rejected the DPC’s requests to stop processing European user data or delay the launch of the updated version of Grok.
The injunction proceedings will return to the High Court next week, the report says.
X did not immediately respond to requests for comment.
Since Musk took over Twitter, there have been concerns that he hasn’t taken a good faith approach to complying with EU privacy laws. But despite some early expressions of concern from the DPC following the unnotified departure of Twitter’s then-chief data protection officer in November 2022, the regulator has had little to say about the chaotic change of direction Musk has wrought. Or the related GDPR complaints.
Notably, X has also managed to retain its established principal status in Ireland, which allows it to streamline GDPR oversight by having the DPC lead complaint investigations. However, it’s unclear whether Twitter International has any say in Musk’s decisions affecting local users.
However, Musk’s quiet bid to oversee GDPR may finally come to an end if the court upholds the injunction.
There’s been more bad regional news for X in recent weeks. The platform found itself losing a lawsuit in the Netherlands over a GDPR compliance issue, as we reported last month, after an individual sued Musk for shadowbanning and other legal issues.
Last month, the European Commission said it suspected X of violating the EU’s Digital Services Act (DSA).
The DSA provides for even higher fines, up to 6% of global annual turnover, for non-compliance. The EU said it suspected X of breaching these rules in relation to the misleading design of its blue check system and its failure to meet transparency requirements regarding data access for researchers and the effectiveness of an ad repository it is required to provide.
The EU is also investigating a second DSA case against X, open since December 2023, concerning wide-ranging issues with content moderation and risk reduction.
