European Non-Profit Files 9 GDPR Complaints Against X/Twitter for Using Data Without Consent to Train AI
Brook.X
The European privacy advocacy group NOYB has lodged complaints with EU regulatory bodies against Elon Musk's social media platform X/Twitter, accusing it of infringing on users' privacy rights. The complaint alleges that X has used the personal data of over 60 million European users to train its large language model, Grok, without obtaining explicit consent from the users.
Grok, a product of Musk’s artificial intelligence research company xAI, is primarily trained on data from X and can even query new content posted on X in real time, such as users' latest tweets.
NOYB, a non-profit organization dedicated to monitoring the enforcement of digital rights and data protection laws, particularly the General Data Protection Regulation (GDPR), has successfully filed complaints against tech giants like Apple, Google, Amazon, and Meta in the past, leading to fines or mandatory corrective actions for GDPR violations.
Starting in July 2024, X introduced a new data control feature that allows users' posts and their interactions, inputs, and results with Grok to be used for training and fine-tuning by default, meaning xAI would use users' data for training unless opted out.
The Irish Data Protection Commissioner (DPC), a leading European data regulatory authority, took note of the issue and negotiated with X, resulting in X's agreement to halt the processing of personal data from European users until September.
However, NOYB criticized the DPC's investigation as insufficient, arguing that it only recommended a temporary delay in data usage. As a result, NOYB has decided to file a complaint directly with the EU, urging an investigation by EU regulators.
X now faces a dilemma: using European users' data could lead to substantial fines and mandatory corrections if found in violation of GDPR, a risk seemingly not worth taking.
Moving forward, xAI and X might exclude EU users' data or change the default settings to not use EU users' data unless users explicitly opt in, which would comply with regulations.
