Ireland Data Regulator Opens X Probe Over Grok AI Training

Ireland’s data regulator has opened an investigation into social media platform X, formerly Twitter, over the use of personal data from EU citizens being used to train the AI platform Grok.

The Data Protection Commission (DPC), the EU’s lead data regulator for X, said the probe would look at the processing of personal data comprised in publicly accessible posts on X by EU or European Economic Area users “for the purposes of training generative artificial intelligence models” such as Grok.

The move comes after the DPC obtained a court order last August requiring X to temporarily stop processing EU data for AI purposes until users have been given the option to withdraw their consent.

AI training

An Irish court heard at the time that X users had only been given the option to object to their data being processed for AI purposes several weeks after the start of data collection.

X in May began providing posts by its EU users to xAI, a start-up launched in 2023 by X owner Elon Musk, to train tools such as chatbot Grok, according to EU-based privacy group Noyb.

A pitch to xAI investors disclosed in May also argued the start-up would have advantages over rivals through its connections to other Musk companies, including user data from X for use in training its large language model (LLM).

But X never informed its users their data would be used to train AI models, with most people finding out about the situation via a widely viewed post by an X user in late July.

The company last September updated its terms of service to indicate users’ data would be used for such purposes.

Musk last month sold X to xAI, combining the management structure and resources of the two companies.

Privacy rules

Noyb in August filed complaints against X over the use of EU users’ data for AI in Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Spain and Poland, claiming the approach of Ireland’s DPC alone was too “pro-corporate”.

Noyb said the DPC’s initial complaint was mainly concerned with mitigation measures and a lack of cooperation by X, while failing to question the legality of the data processing itself.

“We want to ensure that Twitter fully complies with EU law, which – at a bare minimum – requires to ask users for consent in this case,” said Noyb chairman Max Schrems at the time.

The DPC has the power to fine companies up to 4 percent of their global turnover under the EU’s GDPR data protection laws.