Elon Musk’s social media platform, X (formerly Twitter), is facing significant backlash in the European Union (EU) over privacy concerns after it was discovered that the platform had been using users’ data to train its AI models without obtaining their consent. This has led to the filing of nine privacy complaints across multiple EU countries, including Austria, Belgium, France, and Ireland. The complaints allege that Elon Musk X violated the EU’s General Data Protection Regulation (GDPR), which mandates that personal data can only be processed with a valid legal basis, typically requiring user consent. The platform’s actions have sparked a strong response from privacy advocates and regulators alike.
The controversy began when a social media user noticed a setting that revealed X was processing EU users’ posts to train its Grok AI chatbot. This revelation drew the attention of the Irish Data Protection Commission (DPC), the main regulatory body overseeing X’s compliance with GDPR. The DPC expressed “surprise” at this discovery, as GDPR violations can result in fines of up to 4% of a company’s global annual turnover. The nine complaints against X and Elon Musk AI project argue that the platform’s use of the “legitimate interest” legal basis for data processing is not sufficient for AI training and that user consent should have been obtained.
Max Schrems, chairman of the privacy rights nonprofit noyb, which is supporting the complaints, criticized the DPC for its perceived inefficiency in enforcing GDPR regulations. Schrems emphasized that X should have obtained explicit consent from users before using their data for AI purposes, pointing out that other companies manage to do so for various activities. Although X eventually introduced an opt-out option for data processing in late July, this measure came too late for those whose data had already been used, leaving them without recourse.
The situation has drawn parallels to Meta’s recent decision to pause a similar plan to process user data for AI training after facing GDPR complaints. However, X’s more covert approach allowed it to continue processing data from May 7 to August 1 without widespread notice. Privacy experts argue that the GDPR is designed to prevent such unexpected uses of personal information, which can have serious implications for individuals’ rights and freedoms.
Noyb’s complaints also reference a ruling by Europe’s top court last summer, which determined that the “legitimate interest” legal basis was not valid for Meta’s ad targeting practices, setting a precedent that user consent is required for such uses of data. Additionally, the organization highlighted that providers of generative AI systems often struggle to comply with GDPR’s core requirements, such as the right to be forgotten or to access personal data, further complicating the legal landscape. The outcome of these complaints could have significant implications for X and other tech companies operating in the EU.
