X Faces EU Privacy Complaints over AI Data Use without Consent

X, formerly known as Twitter, has been hit with a series of privacy complaints after it was revealed that the platform was using data from European users to train its Grok AI chatbot without their consent.

Late last month, a social media user discovered a setting indicating that X had quietly started processing the posts of regional users for AI training. The revelation prompted the Irish Data Protection Commission (DPC), responsible for overseeing X's compliance with the General Data Protection Regulation (GDPR), to express "surprise," according to TechCrunch.

The GDPR mandates that personal data processing must have a valid legal basis, with non-compliance risking fines of up to 4% of global annual turnover. Nine complaints have been filed with data protection authorities in Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Poland, and Spain, accusing X of violating this requirement by processing users' posts without their consent.

Max Schrems, chairman of the privacy rights nonprofit noyb, which is backing the complaints, stated: "We have seen countless instances of inefficient and partial enforcement by the DPC in the past years. We want to ensure that Twitter fully complies with EU law, which — at a bare minimum — requires to ask users for consent in this case."

The DPC has already initiated legal action in the Irish High Court, seeking an injunction to stop X from using the data for AI model training. However, noyb argues that the DPC's efforts are insufficient, noting that X users currently have no way to request the deletion of data that has already been used. As a result, noyb has filed GDPR complaints in Ireland and seven other countries.

The complaints contend that X lacks a valid basis for using the data of approximately 60 million EU users for AI training without their consent. The platform appears to be relying on a legal basis known as "legitimate interest" for its AI-related processing. However, privacy experts argue that consent is necessary.

"Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for lots of other things, so it would definitely be possible for AI training as well," Schrems suggested.

In June, Meta paused a similar plan to process user data for AI training after noyb supported GDPR complaints, leading to regulatory intervention.

X's approach, which involved quietly using user data for AI training without notifying users, went unnoticed for several weeks. According to the DPC, X was processing European data for AI model training from May 7 to August 1.

X users eventually gained the ability to opt out of this processing through a setting added to the web version of the platform in late July. However, there was no option to prevent the processing before that, and many users were unaware that their data was being used for AI training.

This situation is significant because the GDPR is designed to protect Europeans from unexpected uses of their data that could impact their rights and freedoms. Noyb argues that X's reliance on "legitimate interest" as a legal basis is not valid, referencing a ruling by Europe's top court last summer that user consent should be obtained for similar cases involving data use for ad targeting.

Noyb also highlights concerns that providers of generative AI systems often claim they cannot comply with other core GDPR requirements, such as the right to be forgotten or the right to access personal data. These concerns are also part of ongoing GDPR complaints against OpenAI's ChatGPT.