Introduction
The General Data Protection Regulation (GDPR) imposes strict requirements on the use of personal data, even if it is publicly shared by users. This regulation is particularly relevant in the context of AI model training, where legal justification and transparency are paramount. The Irish Data Protection Commission (DPC) is actively investigating the compliance of the social media platform X (formerly Twitter) with GDPR, focusing on the use of European users’ data for training AI models [2].
Description
Under the GDPR [7], personal data [1] [2] [3] [4] [5] [6] [7] [8], even if publicly shared by users [7], cannot be used for unrelated purposes such as AI model training without appropriate legal justification and transparency [7]. Consent or legitimate interest is required [7], and users must be adequately informed about the usage of their data [7].
The Irish Data Protection Commission (DPC) is currently investigating the processing of personal data by the social media platform X (formerly Twitter), owned by Elon Musk [4]. This inquiry focuses on whether X is adhering to the GDPR regarding the legality and transparency of its data processing practices, particularly concerning how data from publicly accessible posts made by European users and users in the European Economic Area was utilized to train the Grok Large Language Models (LLMs) developed by xAI. The DPC aims to evaluate compliance with key provisions of the GDPR [4], scrutinizing whether personal data from these publicly accessible posts on X was lawfully processed for training Grok’s AI models.
In 2024 [5], the DPC initiated legal action against X to prevent the processing of European users’ data for AI training without consent [5], following a policy change that allowed such use [5]. However, these legal proceedings were later dismissed after X agreed to limit its use of EU users’ personal data [5]. The DPC has not disclosed the reasons for its renewed concerns regarding potential GDPR violations [5]. Civil rights organization Noyb has raised concerns [6], filing complaints in nine EU countries about the processing of data without user consent [6], and criticized the DPC for not fully enforcing GDPR [6].
The ongoing investigation into Grok may have significant implications beyond its immediate context [7], potentially establishing a precedent for the evaluation of AI models trained on user-generated content under GDPR [7]. Companies aiming to navigate regulatory challenges may need to enhance their data governance and documentation practices [7].
As Grok continues its operations within the X platform [7], the findings from the DPC are expected to have broader repercussions. The outcome of the investigation could result in fines [7], operational adjustments [7], or further legal disputes [7], underscoring the EU’s firm regulatory approach [7], with Ireland playing a central role in these developments [7]. The DPC has the authority to impose fines of up to four percent of X’s global revenue [5], and the last fine imposed on X by the DPC was €450,000 in 2020 for failing to report a data breach within the required 72-hour timeframe [5]. In response to concerns about AI systems like ChatGPT [6], the European Data Protection Board (EDPB) established a task force in mid-2023 to ensure consistent enforcement of data protection laws across the EU and prevent disparate sanctions from different member state authorities. Additionally, EU data protection authorities introduced a three-stage test for AI concerning legitimate interests and necessity in December [6], further shaping the regulatory landscape for AI technologies.
Conclusion
The DPC’s investigation into the use of personal data by X for AI model training underlines the critical importance of GDPR compliance. The outcome could set a significant precedent for how AI models are developed using user-generated content, influencing data governance practices across the industry. The potential for fines and operational changes highlights the EU’s stringent regulatory stance, with Ireland at the forefront of these efforts. The evolving regulatory landscape necessitates that companies remain vigilant and proactive in their data protection strategies.
References
[1] https://www.irishexaminer.com/business/technology/arid-41611789.html
[2] https://www.business-humanrights.org/en/latest-news/ireland-privacy-watchdog-investigates-x-over-use-of-eu-personal-data-to-train-its-ai-model-grok/
[3] https://www.thejournal.ie/investigation-into-grok-x-ireland-6675606-Apr2025/
[4] https://www.irishpost.com/business/irish-data-protection-watchdog-to-investigate-use-of-personal-data-by-xs-chatbot-grok-289114
[5] https://www.engadget.com/big-tech/irelands-privacy-regulator-is-investigating-xs-use-of-public-data-to-train-grok-182010855.html
[6] https://www.heise.de/en/news/Suspected-GDPR-violations-Irish-data-protectionists-examine-AI-model-Grok-10350155.html
[7] https://thelegalwire.ai/ireland-investigates-musks-grok-ai-a-new-flashpoint-in-eu-us-tech-tensions/
[8] https://www.breakingnews.ie/business/data-watchdog-to-investigate-xs-grok-ai-tool-1751422.html
