News
Elon Musk’s X faces privacy complaints over EU user data use for AI training
Top 3 Key Points:
- X, owned by Elon Musk, is facing privacy complaints for using EU user data to train AI without consent.
- The Irish Data Protection Commission (DPC) is challenging X’s actions under the GDPR, which mandates user consent.
- Nine EU countries have filed complaints, demanding X stop its data use and respect users’ rights.
X, the social media platform owned by Elon Musk, is facing multiple privacy complaints for using data from European Union (EU) users to train its Grok AI chatbot without their consent. This issue surfaced when a vigilant social media user noticed a setting indicating X was processing user posts for AI training without proper notification. The Irish Data Protection Commission (DPC), which oversees X’s adherence to the General Data Protection Regulation (GDPR), expressed surprise and concern over this practice.
The GDPR strictly requires a valid legal basis for processing personal data, with consent being a primary requirement. In response, nine complaints have been filed against X across various EU countries, including Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Poland, and Spain. These complaints argue that X failed to secure user consent before processing their data, thus breaching GDPR rules.
Max Schrems, chairman of the privacy rights organization noyb, criticized the DPC for its past enforcement efforts and emphasized the need for X to comply fully with EU law. The DPC has already initiated legal action in the Irish High Court to halt X’s data usage for AI training. However, noyb argues that these actions are insufficient, as X users currently have no way to delete data already processed by the company.
The core issue revolves around X’s use of “legitimate interest” as a legal basis for its AI-related data processing. Privacy experts argue that this is inadequate and that X should have obtained explicit user consent. Schrems pointed out that companies regularly prompt users for consent on various matters, making it entirely feasible for AI training as well.
Twitter just activated a setting by default for everyone that gives them the right to use your data to train grok. They never announced it. You can disable this using the web but it’s hidden. You can’t disable using the mobile app
Direct link: https://t.co/lvinBlQoHC pic.twitter.com/LqiO0tyvZG
— Kimmy Bestie of Bunzy, Co-CEO Execubetch™️ (@EasyBakedOven) July 26, 2024
This situation mirrors a similar case involving Meta, which paused its plans to use user data for AI training after GDPR complaints and regulatory intervention. X’s approach of quietly using user data for AI training without informing users allowed it to evade detection for some time.
Between May 7 and August 1, X processed EU user data for AI training. While users eventually gained the ability to opt out via a web platform setting added in late July, they were not notified about this practice, making it difficult for them to opt-out in the first place.
The GDPR aims to protect EU citizens from unexpected uses of their data that could impact their rights and freedoms. In this case, noyb references a judgment from Europe’s top court, which ruled that “legitimate interest” is not a valid basis for using personal data without consent, especially in scenarios involving user rights.
Noyb also highlights that providers of generative AI systems, like X, often struggle to comply with other core GDPR requirements, such as the right to be forgotten or the right to access personal data. Similar concerns have been raised in other ongoing GDPR complaints, including those against OpenAI’s ChatGPT.