X was hit with nine data protection complaints across Europe on Monday (12 August), just days after it said it will suspend the processing of some EU users’ personal data to develop artificial intelligence (AI).
On 6 August, Ireland’s Data Protection Commission (DPC) requested that a court orders the Elon Musk-owned platform to suspend or restrict the processing of personal data from EU users’ public posts to train Grok. Two days later, X agreed to halt the processing of such data collected between 7 May and 1 August, until the court decides on the DPC’s request.
The Irish DPC is responsible for overseeing X’s compliance with the EU’s General Data Protection Regulation (GDPR), as the company’s European headquarters are in Dublin. Grok is developed by xAI, a company founded by Musk, and used as a search assistant for premium accounts on the social media platform.
The complaints were filed by digital rights NGO Noyb, founded by influential activist and lawyer Max Schrems, in Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Spain, and Poland.
The DPC was not getting to the core of the problem, the legality of the processing itself, but rather X’s mitigation measures and cooperation with authorities, based on oral arguments made in Ireland’s High Court, Noyb argued in a Monday press release.
Noyb is therefore filing the complaints so that X’s practices are fully investigated for GDPR compliance. Noyb is requesting an urgency procedure, which can include a decision from the European Data Protection Board (EDPB), which oversees the data protection regulation’s application throughout the EU.
Noyb argues that X violated GDPR principles, as well as transparency and operational rules.
The group also questions how X’s plan can be implemented, as it hasn’t clarified what will happen to EU data already ingested in the AI systems and how it separates EU and non-EU data.
Questions around DPC
The DPC’s track record of enforcing the GDPR has been questioned over the past few years by digital rights advocates.
“We have seen countless instances if inefficient and partial enforcement by the DPC in the past years,” said Noyb chairman and founder Schrems in the press release.
Observers have interpreted the DPC’s taking X to court as a sign that, under new leadership since February, the authority is charting a new course. This was the first time any leading data protection authority had requested a court order to suspend a firm’s data processing, the DPC said.
But Noyb isn’t convinced. The digital rights NGO argues that involving more data protection authorities will pressure the DPC to “follow through” with the case and X to actually comply with the GDPR.
Consent
The DPC is skirting around the core issue, which is that X didn’t even properly ask users to consent to this type of data processing, said the digital rights NGO.
X changed its privacy policy to include data processing for training AI back in September 2023.
EU users’ data processing to train Grok started on 7 May, without giving users an opt-out option, said the judge hearing the case, according to the Irish Examiner.
That step was taken without mitigating risks previously revealed in X’s own risk assessment, required by EU law, wrote Johnny Ryan director of Enforce at the Irish Council for Civil Liberties in a LinkedIn post.
It is unclear when the DPC became aware of this, but the authority and company were in discussions in July, said Ryan.
X proposed “enhanced” mitigation that would apply on 16 July 2024, according to Ryan. This was not rolled out to all users, according to Ryan and the Irish Examiner.
X users only became aware that their data was actively processed to train AI through a viral post on 26 July, said Noyb.