X Faces Complaints For Using EU Data Without Consent

Today, Reuters reported that the privacy group NOYB has filed a formal complaint against the social media platform X. The complaint alleges that the company, owned by Elon Musk, unlawfully used users’ personal data to train its AI systems without consent, in violation of EU privacy laws.

NOYB, led by privacy advocate Max Schrems, has filed General Data Protection Regulation (GDPR) complaints with nine European Union authorities. The complaints aim to increase pressure on Ireland’s Data Protection Commission (DPC), which is responsible for overseeing major U.S. internet firms operating in the EU.

According to the complaint, X allegedly used the personal data of over 60 million European users to train its AI system (Grok) without their consent. The DPC has initiated court proceedings against the tech giant, but critics argue that the response has been inadequate.

Schrems states, “We have seen countless instances of inefficient and partial enforcement by the DPC in the past years. We want to ensure that Twitter (X) fully complies with EU law, which – at a bare minimum – requires to ask users for consent in this case.”

According to TechCrunch, Meta halted a similar plan to process user data for AI training in June after NOYB supported GDPR complaints and regulators intervened. In contrast, X’s method of quietly using user data for AI training without notifying users seems to have gone unnoticed for several weeks.

The NOYB complaint suggests a straightforward solution: the EU’s GDPR allows users to “donate” their personal data for AI development by simply requesting their clear consent. If only a small fraction of Twitter’s 60 million users agreed to AI training, the company would still have ample data for its models. However, Twitter’s current approach is to use user data without informing them or seeking permission.

Schrems states, “Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for lots of other things, so it would definitely be possible for AI training as well.”

The complaint states that while X has agreed to pause further AI training with EU data until September, NOYB’s complaint underscores the broader issues of compliance and transparency. However, no decision on the legality of the data use was made, and several questions remain unresolved. For instance, what will happen to the EU data already processed, and how can X properly separate EU data from non-EU data?

To address these concerns, NOYB has filed GDPR complaints with data protection authorities in nine countries to ensure a thorough investigation into the core legal issues surrounding X’s AI training.