Twitter International, now rebranded as “X,” has been accused of unlawfully using the personal data of over 60 million users in the EU/EEA to train its AI technologies, including the platform’s proprietary AI system “Grok”, without their consent.
This move has prompted a wave of GDPR complaints filed by the privacy advocacy group noyb in nine European countries, after the group deemed recent court action agains the social media giant by the Irish Data Protection Commission (DPC) to be insufficient.
Questionable Practices By X
The issue first came to light in May 2024, when Twitter began feeding European users’ data into its AI systems without informing them or obtaining their permission. In response, the Irish Data Protection Commission (DPC) took court action against X to stop the illegal processing and enforce compliance with the GDPR. However, the proceedings have raised concerns about the DPC’s approach.
“The court documents are not public, but from the oral hearing we understand that the DPC was not questioning the legality of this processing itself,” explained Max Schrems, the chairman of noyb. He added,”It seems the DPC was concerned with so-called ‘mitigation measures’ and a lack of cooperation by Twitter. The DPC seems to take action around the edges, but shies away from the core problem.”
Dissatisfied with the DPC’s response, noyb has filed GDPR complaints with data protection authorities in nine European countries, including Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Spain, and Poland. The stated goal is to ensure that the core legal issues surrounding Twitter’s AI training are fully addressed.
“We have seen countless instances of inefficient and partial enforcement by the DPC in the past years,” Schrems said. “We want to ensure that Twitter fully complies with EU law, which – at a bare minimum – requires to ask users for consent in this case,” he added.
Schrems feels that the GDPR provides a straightforward solution for companies to use personal data for AI development: obtain clear consent from users and that If even a small fraction of Twitter’s 60 million European users consented to their data being used for AI training, the company would have ample data for its models.
“Companies that interact directly with users simply need to show them a yes/no prompt before using their data,” Schrems said. “They do this regularly for lots of other things, so it would definitely be possible for AI training as well,” he clarified.
Broader GDPR Concerns
Beyond the consent issue, noyb’s complaints also raise concerns about Twitter’s ability to comply with other GDPR requirements, such as the right to be forgotten, the right to access personal data, and the right to correct inaccurate information.
“This raises additional questions when it comes to the unlimited ingestion of personal data into AI systems,” Schrems noted. With the scale of the alleged GDPR violations, noyb has requested an “urgency procedure” under Article 66 of the regulation, which allows data protection authorities to issue preliminary halts in such situations. The goal is to ensure a swift and comprehensive response from European regulators.