Recently, social media platform X (formerly known as Twitter) has faced a series of privacy complaints for using data from users in the EU region to train its Grok AI chatbot without their consent. Just at the end of last month, attentive netizens noticed that X quietly added an option in its settings, indicating that it had begun processing post data from EU users for AI training. This has drawn the attention of the Irish Data Protection Commission (DPC), which expressed "surprise" at this development.
Under the EU's General Data Protection Regulation (GDPR), companies must have a legal basis to use personal data, or they could face fines of up to 4% of their global annual turnover. There have already been complaints from nine countries including Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Poland, and Spain, accusing X of processing data from approximately 60 million EU users for AI models without their consent.
Max Schrems, chairman of the privacy advocacy group noyb, pointed out in a statement: "Over the past few years, the enforcement efficiency of the DPC has been disappointing. We hope to ensure that Twitter complies with EU laws, and at least in this case, needs to ask for user consent." In fact, the DPC has already taken legal action against X's AI training data processing, seeking a mandatory injunction to stop this behavior. However, noyb believes that the DPC's measures are insufficient because users cannot request the deletion of data that has already been processed. For this reason, noyb has submitted GDPR complaints in Ireland and seven other countries.
The complaints state that X does not have a legitimate basis for processing this user data. Although the platform claims to process data for AI purposes based on "legitimate interests," privacy experts say that X must obtain user consent. Schrems mentioned: "Companies that interact directly with users only need to show a yes/no prompt before using their data, which has been done in many other scenarios, and is therefore entirely feasible in AI training."
Before this, Meta also paused similar plans due to complaints from noyb and intervention from regulatory authorities. However, X's approach seems to have gone unnoticed for several weeks. According to information from the DPC, X processed data from EU users between May 7 and August 1. Although an option was added to the web version of X at the end of July, allowing users to opt out of data processing, users were unaware of this information before then.
This is very important because the goal of the GDPR is to protect EU users from the impact of uninformed data usage. In the debate over X's legal basis, noyb cited last year's ruling from the highest court in Europe, arguing that "legitimate interests" do not apply in this situation, and user consent is mandatory. Additionally, noyb pointed out that many generative AI systems often claim that they cannot comply with other core requirements of the GDPR, such as the right to be forgotten or the right to access personal data.
Key Points:
1. 📜 X (Twitter) faces privacy complaints from nine countries for using EU user data to train AI without consent.
2. 🚨 Privacy rights organization noyb states that X must comply with GDPR, users should be informed of data usage and give consent.
3. ⚖️ DPC has initiated legal action against X, seeking an injunction to stop data processing, but users still cannot delete data that has been used.