The social media platform X, formerly known as Twitter, is facing fresh legal challenges across Europe over its artificial intelligence (AI) training practices.

Austrian privacy advocacy group NOYB has filed complaints with data protection authorities in nine EU countries, alleging that X is unlawfully using European users' personal data to train its AI systems without consent.

According to NOYB, X began irreversibly feeding European users' data into its "Grok" AI technology in May 2024 without informing them or seeking their permission. This action has prompted concerns about potential violations of the General Data Protection Regulation (GDPR).

The Irish Data Protection Commission (DPC), which acts as the lead regulator for many US tech firms in the EU, has already taken legal action against X. The DPC is seeking to halt the illegal processing and enforce compliance with GDPR. However, NOYB chairman Max Schrems criticised the DPC's approach, stating: "The DPC seems to take action around the edges, but shies away from the core problem."

NOYB's complaints, filed in Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Spain and Poland, aim to ensure a comprehensive investigation into X's AI training practices. The group is pushing for an "urgency procedure" under Article 66 of GDPR, which could lead to a preliminary halt of data processing and an EU-wide decision.

Schrems argued that X could easily comply with EU law by simply asking users for consent: "Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for lots of other things, so it would definitely be possible for AI training as well."

The complaints allege multiple GDPR violations, including the lack of a valid legal basis for data processing, failure to distinguish between EU and non-EU user data, and potential mishandling of sensitive information. NOYB also raised concerns about X's ability to comply with other GDPR requirements, such as the right to be forgotten, once data has been incorporated into AI systems.

X reportedly claims it has a "legitimate interest" that overrides users' fundamental rights, an approach that has previously been rejected by the Court of Justice in a case involving Meta's use of personal data for targeted advertising.

The social media platform has agreed to pause further AI training using EU user data until September, following a settlement with the Irish DPC. However, questions remain about the fate of data already ingested into X's systems and the company's ability to properly separate EU and non-EU data.

---