The Irish Data Protection Commission (DPC) has announced that it will be investigating X’s use of the platform’s posts, replies and user information as AI training data for its embedded “Grok” feature. A key point will be X’s default opt-in of all users, something that may run afoul of General Data Protection Regulation (GDPR) personal information consent requirements.
Like many international tech giants, X keeps its EU headquarters in Dublin. But owner Elon Musk has been more aggressive and public in his sparring with EU regulators than most, and regulators there are currently considering fines for the company that could reach over $1 billion in total in a separate case involving alleged disinformation and failure to moderate illicit content.
AI training data opt-in may have violated GDPR requirements
X has been accused of using nearly everything that users post on the platform, or add to the publically viewable portions of their profile, to train the built-in Grok AI chatbot. Users are given the ability to opt out, but have been opted in by default since this training began and must navigate the platform’s internal menus to change this.
While users are not required to place any personal information in these profile segments or posts, they often do. That puts X into a jam that many of the other major social media companies have found themselves in as pertains to EU regulations; collection and use of personal information generally requires clear informed consent, at least in areas where the GDPR applies. However, those other cases have tended to focus on collection of this information for targeted advertising purposes rather than AI training data.
The Irish DPC has confirmed that this case is not related to the ongoing tariff negotiations between the US and EU, and that the investigation began in the summer of 2024 while the US election campaigns were still ongoing. The Trump administration has threatened possible retaliation if EU regulators fine US tech firms, but has focused more on cases involving alleged suppression of political views and free speech rather than AI training data or missteps in handling targeted advertising in the bloc.
X hit with multiple complaints in EU over collection of AI training data
It remains unclear exactly how much personal information X has actually collected from EU users, as the internal AI training data system is opaque to the outside world. X previously landed in hot water with EU regulators in August 2024 after at least nine complaints were filed about the possible collection of personal data, with the Irish DPC beginning court proceedings and only ending them after X agreed to limit this practice in the region in September.
A key to the investigation will be if X can demonstrate that it successfully filters personal information out of posts that are turned into AI training data (or screens these posts out entirely when personal information is detected). If this is the case, the fact that users are automatically opted in may not matter. Musk and X have yet to comment, but Grok itself claims to only access posts for training purposes if its name is explicitly mentioned in the post.
The potential penalty for GDPR violations is up to 4% of annual global turnover, but the Irish DPC has tended to stay away from the upper limits when fining major tech outfits. X, then Twitter, was the first platform fined by the DPC under GDPR rules; it received a penalty of 450,000 euros in December 2020 after a year-long investigation into its timely reporting of a data breach.
EU member states have proven themselves willing to investigate and penalize companies over misuse of AI training data, but the actual legal standards are still developing in some ways. At this point the bloc is relying more on the relatively new Artificial Intelligence Act to regulate AI rather than the GDPR rules, which do not always directly and clearly apply to situations like this in which personal data might be taken up in the course of public posting. One existing example of GDPR being applied to AI is complaints against OpenAI for failing to provide right to rectification under the terms of Article 16 when ChatGPT produces faulty and potentially libelous information about individuals while providing them no real means to have that information corrected or removed. Italy’s brief ban of ChatGPT two years ago also centered mostly on its failure to screen out underage users and apply special protections for their personal information required by the regulations.
X avoids many of the GDPR troubles that contemporaries like Meta and Google face due to its advertising structure; it limits outside sharing of third-party data and bases platform ads on the context of what users view and interact with solely within the app. But it faces serious issues under other EU regulations, chiefly the Digital Services Act. Musk has been sparring with the European Commission since he took over the platform over alleged failure to police and moderate it adequately for content the bloc considered to be “disinformation” or harmful, which it faces enhanced EU obligations for given its designation as a “Very Large Online Platform (VLOP).”
