X faces multiple GDPR complaints over AI training practices

The social media platform X, formerly known as Twitter, is facing fresh legal challenges across Europe over its artificial intelligence (AI) training practices.

Austrian privacy advocacy group NOYB has filed complaints with data protection authorities in nine EU countries, alleging that X is unlawfully using European users' personal data to train its AI systems without consent.

According to NOYB, X began irreversibly feeding European users' data into its "Grok" AI technology in May 2024 without informing them or seeking their permission. This action has prompted concerns about potential violations of the General Data Protection Regulation (GDPR).

The Irish Data Protection Commission (DPC), which acts as the lead regulator for many US tech firms in the EU, has already taken legal action against X. The DPC is seeking to halt the illegal processing and enforce compliance with GDPR. However, NOYB chairman Max Schrems criticised the DPC's approach, stating: "The DPC seems to take action around the edges, but shies away from the core problem."

NOYB's complaints, filed in Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Spain and Poland, aim to ensure a comprehensive investigation into X's AI training practices. The group is pushing for an "urgency procedure" under Article 66 of GDPR, which could lead to a preliminary halt of data processing and an EU-wide decision.

Schrems argued that X could easily comply with EU law by simply asking users for consent: "Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for lots of other things, so it would definitely be possible for AI training as well."

The complaints allege multiple GDPR violations, including the lack of a valid legal basis for data processing, failure to distinguish between EU and non-EU user data, and potential mishandling of sensitive information. NOYB also raised concerns about X's ability to comply with other GDPR requirements, such as the right to be forgotten, once data has been incorporated into AI systems.

X reportedly claims it has a "legitimate interest" that overrides users' fundamental rights, an approach that has previously been rejected by the Court of Justice in a case involving Meta's use of personal data for targeted advertising.

The social media platform has agreed to pause further AI training using EU user data until September, following a settlement with the Irish DPC. However, questions remain about the fate of data already ingested into X's systems and the company's ability to properly separate EU and non-EU data.



Share Story:

Recent Stories


Bringing Teams to the table – Adding value by integrating Microsoft Teams with business applications
A decade ago, the idea of digital collaboration started and ended with sending documents over email. Some organisations would have portals for sharing content or simplistic IM apps, but the ways that we communicated online were still largely primitive.

Automating CX: How are businesses using AI to meet customer expectations?
Virtual agents are set to supplant the traditional chatbot and their use cases are evolving at pace, with many organisations deploying new AI technologies to meet rising customer demand for self-service and real-time interactions.