Elon Musk’s X is facing court in Ireland for allegedly using Europeans’ data to train an AI model, RTE reported late Tuesday. The case concerns the social media platform’s decision last month to process user data to train its “Grok” AI model without informing people or asking for their permission.
Last month, Ireland’s Data Protection Commission (DPC) told TechCrunch it was “surprised” by X’s move and said it was taking “follow-up steps” to obtain further information.
The EU General Data Protection Regulation (GDPR) requires that there must be a valid legal basis for processing people’s data. Failure to comply with this regulation can result in fines of up to 4% of annual global turnover, so any confirmed non-compliance could be costly for X. In particular, the DPC is suing X under Ireland’s Data Protection Act 2018, under the RTE.
According to RTE, the DPC is seeking an injunction against Twitter International (as the Irish arm of the company still calls itself) over concerns about the handling of user data to train AI models. The watchdog told RTE it was taking action because it believed the issue poses an imminent risk to users’ rights and freedoms.
According to a report by the Irish Broadcasting Corporation, the DPC plans to refer the matter to the European Data Protection Board (EDPB), an independent supervisory authority established under the GDPR that has the power to issue guidance on how the EU-wide law should be applied.
The DPC declined to respond to questions about the legal action on Wednesday.
“The DPC has not yet commented on the matter, which was brought before the court yesterday, August 6, and it would be inappropriate to comment until the matter has been heard by the court,” Deputy Chief Communications Officer Ristaird Byrne told TechCrunch.
GDPR requires that there be an appropriate legal basis for processing personal data, meaning that the legal basis must fit the use case. In this case, privacy experts believe that X should be harvesting users’ content and reusing public posts to train its AI model. Instead, X quietly began harvesting users’ information last month, with an option buried in web settings that allows users to opt out. X also did not inform users that X was using their data to train Grok.
Meta, which owns Facebook and Instagram, halted a similar move to repurpose user data for AI training in June, following GDPR complaints and regulatory pressure from the DPC. But Musk’s company appears less cooperative with privacy regulators, prompting the DPC to seek an injunction in the High Court.
RTE reported that the DPC was seeking an order that would include an order “to stop, restrict or prohibit Twitter from processing User X’s personal data for the purposes of developing, training or improving machine learning, large-scale language or other AI systems used by Twitter”.
According to RTE, the DPC is also concerned about X's plans to release the next version of Grok this month, which is thought to have been trained using personal data from EU and European Economic Area users.
The broadcaster reported that Twitter International had refused a request from the DPC to stop processing European user data or delay the release of an updated version of Grok.
According to reports, the injunction case is expected to be heard again in the High Court next week.
X did not immediately respond to a request for comment.
Since Musk took over Twitter, there have been concerns that he would not take a good faith approach to complying with EU data protection law. But despite the DPC raising concerns after Twitter’s then-data protection officer left without notice in November 2022, the regulator has said little about the chaotic turnaround brought about by Musk or the related GDPR complaints.
In particular, X was able to maintain a key established position in Ireland, which allowed the DPC to lead complaints investigations, streamlining GDPR oversight. However, it is unclear whether Twitter International has any meaningful say in the decisions Musk makes that affect local users.
But if the court grants an injunction, Musk's quiet streak over GDPR oversight could finally come to an end.
There’s also been more local bad news for X in recent weeks. As we reported last month, the platform lost a lawsuit in the Netherlands over GDPR compliance after an individual sued Musk for shadowbanning and other legal issues.
The European Commission said last month that it suspected X of violating the EU's Digital Services Act (DSA).
The DSA includes higher fines for non-compliance (up to 6% of global annual turnover). The EU said it suspected X of breaching these rules in relation to the misleading design of its Blue Check system, and in failing to meet transparency requirements relating to researchers’ access to data and the effectiveness of the ad repository it must provide.
The EU is also investigating a second DSA incident against X, which began in December 2023 and involves broader content moderation and risk mitigation issues.
