Elon Musk’s X is being taken to court in Ireland for using Europeans’ data to train AI models, RTE reported late on Tuesday. The development relates to the social media platform’s decision last month to process user data to train its “Grok” AI model without notifying or asking people if they’re okay with that.
Last month, the Irish Data Protection Commission (DPC) told TechCrunch it was “surprised” by X’s move. It also said it had “followed up” seeking more information.
The pan-EU General Data Protection Regulation (GDPR) requires any processing of people’s data to have a valid legal basis. Breaches of the regime can result in penalties of up to 4% of global annual turnover, so any confirmed non-compliance could end up being costly for X. Notably, the DPC is suing X under Ireland’s 2018 Data Protection Act, per RTE.
According to RTE, the DPC is seeking an injunction against Twitter International (the company’s Irish division is still named that) over concerns about the processing of user data for AI model training. The watchdog told RTE it’s taking action as it believes the matter poses an urgent risk to the rights and freedoms of users.
The Irish broadcaster’s report suggests the DPC intends to refer the matter to the European Data Protection Board (EDPB), an independent supervisory body established under the GDPR that has powers to issue guidance on how that pan-EU law applies.
The DPC declined further comment on the legal action when contacted with questions on Wednesday.
“In terms of the matter which was before the courts yesterday, August 6, the DPC has not released any comment at this point and it would be inappropriate to do so until this matter has been dealt with by the court,” assistant principal communications officer, Risteard Byrne, told TechCrunch.
The GDPR requires any processing of personal data to have a proper legal basis. That means the legal basis must be appropriate for the use-case — in this case, privacy experts believe X needs to obtain users’ content to repurpose their public posts to train its AI models. Instead, X quietly started helping itself to users’ info month, only letting users opt out with an option buried in web setting. Users were also not notified by X that it’s using their data to train Grok.
Meta, which owns Facebook and Instagram, paused a similar move to repurpose user data for AI training back in June following GDPR complaints and regulatory pressure, including from the DPC. However, Musk’s company appears to have been less cooperative with privacy regulators — hence the DPC seeking an injunction in the High Court.
RTE reported the DPC is seeking orders including one for “suspending, restricting, or prohibiting the respondent from processing the personal data of X users for the purposes of developing, training or refining any machine learning, large language or other AI systems used by Twitter.”
Per RTE, the DPC is also concerned about X’s plan to launch the next version of Grok this month, which is believed to have been trained using the personal data of users in the EU and European Economic Area.
The broadcaster reported that Twitter International had refused requests from the DPC to stop processing European users’ data or delay the launch of the updated version of Grok.
The injunction proceedings will return before the High Court next week, the report added.
X did not immediately respond to requests for comment.
Since Musk took over Twitter, there have been concerns he would not take a good faith approach to compliance with EU privacy laws. But, despite some early expressions of concern from the DPC following the un-notified departure in November 2022 of Twitter’s then-data protection officer, the regulator has had little to say about the chaotic change of direction Musk has wrought. Or related GDPR complaints.
Notably, X has also been able to maintain its main established status in Ireland, which allows it to streamline GDPR oversight by having the DPC lead on investigating complaints. Yet, it’s not clear if Twitter International has any meaningful say in decisions taken by Musk that affect local users.
Musk’s quiet run on GDPR oversight may finally be coming to an end, though, if the court grants the injunction.
There’s been more regional bad news for X in recent weeks, too. The platform found itself losing a case in the Netherlands on a GDPR compliance issue, as we reported last month, after an individual sued Musk over shadowbanning and other legal issues.
The European Commission also last month said it suspects X of breaching the bloc’s Digital Services Act (DSA).
The DSA contains even higher penalties —up to 6% of global annual turnover —for non-compliance. The EU said it suspects X of breaching these rules in relation to the misleading design of its blue check system, and failing to meet transparency requirements related to data access for researchers and the effectiveness of an ad archive it is required to provide.
The EU is also investigating a second DSA case against X, open since December 2023, concerning wide-ranging content moderation and risk mitigation issues.