X Faces Legal Scrutiny Over AI Training Data Practices

Popular social media platform X, formerly known as Twitter, is now embroiled in serious legal challenges over its data use practices.

Privacy advocacy group NOYB (None Of Your Business), spearheaded by privacy activist Max Schrems, has lodged complaints with multiple European data protection authorities, accusing X of using data from over 60 million European users to train its artificial intelligence model, Grok, without proper consent.

The Heart of the Issue

These complaints hinge on the fact that X’s decision to train its AI model with user data directly contravenes the General Data Protection Regulation (GDPR), a stringent set of regulations designed to protect the data and privacy of European Union residents.

Under the GDPR, companies must obtain explicit consent before processing personal data, a requirement that NOYB claims X has blatantly ignored.

Detailed Allegations

NOYB’s complaints highlight that X’s default account settings allow the use of personal data to “fine-tune” Grok without explicit consent. Additionally, X shared the collected data with its service provider, xAI, under similar terms.

The unauthorized use of this data reportedly took place between May 7 and Aug. 1, 2024, a timeline that has since been scrutinized by regulatory bodies.

Regulatory Responses and Agreements

Ireland’s Data Protection Commissioner (DPC) has recently reached an agreement with X, resulting in the suspension of personal-data processing until September. Schrems, however, has criticized the decision, arguing that the DPC is focused on mitigation rather than thoroughly examining X’s actions.

Schrems subsequently expressed dissatisfaction with what he views as a "half-hearted" response from the DPC, prompting NOYB to file multiple GDPR complaints across various articles, advocating for a comprehensive investigation.

Unresolved Questions

Key questions remain unanswered, such as why X failed to notify users about the data usage for Grok's training immediately after it began, what happens to the EU data already included in training datasets, and how X plans to segregate EU from non-EU data effectively. Moreover, concerns linger about why X has not yet implemented a system to request permissions from EU residents for data use in Grok training, a method deemed compliant with GDPR standards.