X, the social media platform owned by Elon Musk, has been hit by a series of privacy complaints after it allegedly misappropriated user data in the European Union to train artificial intelligence models without asking people’s consent.
Late last month, an eagle-eyed social media user spotted a setting that indicated X had quietly started processing data from regional users’ posts to train its Grok AI chatbot. The revelation prompted an expression of “surprise” from the Irish Data Protection Commission (DPC), the watchdog that leads oversight of X’s compliance with the bloc’s General Data Protection Regulation (GDPR).
The GDPR, which can penalize proven violations with fines of up to 4% of global annual turnover, requires all uses of personal data to have a valid legal basis. The nine complaints against X, which have been filed with data protection authorities in Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Poland and Spain, accuse it of failing to pass this step by processing Europeans’ posts to train AI without obtaining their consent.
Commenting in a statement, Max Schrems, president of the privacy rights nonprofit noyb, which is supporting the complaints, said: “We have seen countless cases of inefficient and biased enforcement by the DPC in recent years. We want to ensure that Twitter fully complies with EU law, which, at a minimum, requires asking for user consent in this case.”
The DPC has already taken some action regarding X’s use of AI model training, filing a lawsuit in the Irish High Court seeking an injunction to stop using the data. But noyb argues that the DPC’s actions so far are insufficient, noting that there is no way for X users to get the company to delete “data already ingested.” In response, noyb has filed GDPR complaints in Ireland and seven other countries.
The complaints allege that X has no valid basis for using the data of about 60 million people in the EU to train AI without getting their consent. The platform appears to rely on a legal basis known as “legitimate interest” for AI-related processing. However, privacy experts say it must get people’s consent.
“Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for many other things, so it would certainly be possible for AI training as well,” Schrems suggested.
In June, Meta suspended a similar plan to process user data to train AI after noyb faced GDPR complaints and regulators stepped in.
But X’s approach of quietly harvesting user data to train its AI, without even telling people, appears to have allowed it to go unnoticed for several weeks.
According to the DPC, between May 7 and August 1, X was processing data from Europeans to train its AI model.
X users were given the ability to opt out of processing via a setting added to the web version of the platform, apparently in late July. But there was no way to block processing before then. And of course, it’s hard to opt out of having your data used to train AI if you don’t even know it’s happening in the first place.
This is important because the GDPR is specifically designed to protect European citizens from unexpected uses of their information, which could impact their rights and freedoms.
In arguing against X’s choice of legal basis, noyb points to a ruling from the European Supreme Court last summer on a competition complaint against Meta’s use of people’s data for ad targeting, in which the judges found that a legitimate interest legal basis was not valid for that use case and that user consent should have been obtained.
Noyb also points out that providers of generative AI systems typically say they are unable to comply with other key GDPR requirements, such as the right to be forgotten or the right to obtain a copy of one’s personal data. Such concerns are present in other pending GDPR complaints against OpenAI’s ChatGPT.