Elon Musk’s social media platform, X, is facing a wave of privacy complaints across Europe after it was discovered that the platform had been processing user data from the European Union (EU) without consent to train its Grok AI chatbot. The revelation, uncovered by a vigilant social media user, has led to legal challenges under the General Data Protection Regulation (GDPR).
The Irish Data Protection Commission (DPC), responsible for overseeing X’s compliance with GDPR, expressed “surprise” at the discovery. GDPR mandates that any use of personal data must have a valid legal basis, typically requiring user consent. X’s processing of Europeans’ posts without explicit consent has triggered nine complaints across several EU countries, including Austria, Belgium, France, and Ireland.
Max Schrems, chairman of the privacy rights nonprofit noyb, criticized the DPC’s response as insufficient, emphasizing that X users have no way to delete data already used for AI training. Noyb argues that X’s reliance on “legitimate interest” as a legal basis is invalid, and consent should have been obtained. This echoes a previous ruling by Europe’s top court against Meta for similar data use.
X allowed users to opt out of the data processing only in late July, weeks after it had begun. However, the lack of transparency and the absence of a prior opt-out option have raised significant concerns. The GDPR is designed to protect users from unexpected uses of their data that could impact their rights and freedoms, making X’s actions a serious breach of the regulation.
The outcome of these complaints could have far-reaching implications for AI and data processing practices across the tech industry.
 without consent to train its Grok AI chatbot.){kind=link}