A complaint from nine EU nations says X must be prevented from using users’ data to train the AI models powering its chatbot Grok.
Nine European countries have slammed X with complaints for using customers’ posts to train its Grok AI without explicit permission. The Elon Musk-owned platform violated General Data Protection Regulation (GDPR) by using data belonging to as many as 60 million X users in the EU. Noyb, a Vienna-based non-profit, has already filed a complaint.
The complaints arrive shortly after the Irish Data Protection Commission noticed concerns about X using posts to train its own AI chatbot, Grok. Last week, the DPC initiated court proceedings against X for illegally using data to train its AI and thereby not complying with its responsibilities under the GDPR. The intention is to prevent X from launching the next generation of Grok, which Musk, unfazed by the latest row, says is coming in beta soon.
Grok 2 beta release soon pic.twitter.com/t6e9RcXPkl
— Elon Musk (@elonmusk) August 11, 2024
During the court proceedings, the DPC noted that X has refused to stop using users’ data to train its Grok. The watchdog acknowledged that X allows users to opt out of data sharing but keeps the feature on by default and does not explicitly inform them.
However, DPC’s current approach is limited to “suspending, restricting, or prohibiting” the data mining to train Grok, as the state-backed RTE news in Ireland notes. Noyb adds that the DPC is only concerned with “mitigation” measures instead of charging X for a violation of GDPR. “The DPC seems to take action around the edges but shies away from the core problem,” the privacy-focused non-profit noted. Though the Irish agency has settled with X to stop training until the end of September, it has not established the legality of this usage.
Therefore, to ensure the issue gets its due reparation, Noyb has filed separate complaints with nine nations in the EU, including Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Poland, and Spain. The simplest solution could entail X adding a voluntary opt-in mechanism — at least for the users in the EU.
However, X argued in an Irish court that it is relying on “legitimate interest,” a legal basis for processing personal data where the individual impact is minimal and the process is overall beneficial. The Court of Justice of the European Union (CJEU) had previously slammed Meta for using the same basis for showing ads in the EU.
Noyb’s complaints in multiple regions are likely to ensure the Irish DPA takes stricter measures against X.
“We want to ensure that Twitter fully complies with EU law, which – at a bare minimum – requires to ask users for consent in this case,” Noyb’s chairman Max Schrems said.
Additionally, the complaint highlights that AI systems do not comply with the GDPR’s Right to be Forgotten once they ingest users’ data and cannot provide an accurate copy of the personal data under Articles 17 and 15 of the regulation. Additionally, it may be incapable of separating data for users within and outside regions where the GDPR applies, thus highlighting the need for a broader solution.