X’s AI training process breaks EU law, according to nine new data protection complaints

Elon Musk’s social media platform X (formerly Twitter) has violated the General Data Protection Regulation (GDPR) by training its AI model “Grok” on users’ posts, according to nine complaints submitted across the EU by privacy campaign group noyb. 

Training a Large Language Model (LLM), such as Grok, involves the analysis of large amounts of natural language—in this case, users’ posts on X. Noyb alleges that X used people’s posts without properly notifying them and despite an ongoing dispute with the Irish data protection regulator. 

Here’s the story of X’s AI training policy, how the Irish authorities attempted to stop it, and why noyb alleges that X is violating the law. 

Training AI on users’ data

In September 2023, X added the following sentence to its privacy notice: 

“We may use the information we collect and publicly available information to help train our machine learning or artificial intelligence models for the purposes outlined in this policy.”

Seven months later, according to the noyb’s complaints, X began training AI models on EU-based users’ posts. 

Besides the September privacy notice update, Noyb alleges that X did not properly notify users about this use of their personal data. The policy allegedly came to mainstream attention on 26 July after an X user posted about a new option in X’s settings to disable “data sharing”. 

“X users did not receive any email or pop-up about this new default setting,” noyb alleges in its complaint to the Irish Data Protection Commission (DPC)—one of nine regulators that have received complaints from noyb, alongside those in Austria, Belgium, France, Greece, Italy, Netherlands, Spain and Poland. 

The complaint also states that X users’ data “may also be shared with xAI, a separate Elon Musk-led company ‘working on building artificial intelligence’ that includes but is not limited to Grok.” 

Opting out of data sharing 

Noyb’s complaint explains how the opt-out process requires a user to take seven steps to opt out of X’s “data sharing” setting, including logging into X, navigating the settings menu, and opening several submenus before toggling the button. 

“Twitter has done everything to ensure that data subjects will not change the default setting,” noyb alleges, adding that the opt-out was not initially available in X’s mobile app. 

(Note that noyb refers to X’s Irish entity, Twitter International Unlimited Company, as “Twitter”, whose social media platform and parent company are both known as “X”). 

Noyb claims that this allegedly complex opt-out process violates X users’ “right to object” under Article 21 of the GDPR. 

“Twitter has taken steps to deter data subjects from exercising their right to choose by pretending that data subjects only enjoy a right to object…” the complaint says. 

Irish Data Protection Commission (DPC) and High Court

Noyb suggests that the opt-out button resulted from an intervention by the Irish Data Protection Commission (DPC), X’s lead GDPR regulator in the EU, and the Irish High Court. 

The DPC began a consultation process with X last September following the privacy notice updates. X allegedly began training Grok on X users’ posts in May, while this consultation process was underway. 

On 16 July, the DPC reportedly ordered X to adopt “enhanced mitigation procedures” to limit the risks posed by its AI training policy, but noyb claims these procedures failed due to “unspecified ‘technical issues.’” 

In early August, Irish High Court records revealed that X had agreed to pause the training of its AI models using EU users’ personal data. 

According to noyb, the DPC has initiated the GDPR’s “urgency procedure”, which allows regulators to issue short-term orders against companies suspected of data protection violations. 

What happens next?

Despite X having paused the training of its AI model on EU users’ posts, noyb raises the following allegations and concerns about the company’s activities: 

• The pause only relates to ongoing and future data-processing activities and appears not to address the personal data X has already used for AI training. 
• The opt-out button implemented by X as an “enhanced mitigation procedure” is not an adequate way to protect users’ data protection rights. 
• The AI training process is difficult or impossible to reverse—once an LLM has been trained on a given piece of personal data, the data subject cannot meaningfully exercise their right to erasure under the GDPR. 
• The temporary nature of the pause does not represent a long-term solution to protect X users’ personal data. 

Noyb alleges that X has violated the following GDPR provisions: 

• Article 5(1) and (2) (the principles of data processing)  
• Articles 6(1) and (4) (lawfulness of processing and compatibility of purposes) 
• Article 9(1) (special categories of personal data 
• Article 12(1) and (2) (providing information and facilitating data subjects’ rights) 
• Article 13 (1) and (2) (information to be provided to data subjects)  
• Article 17(1)(c) (the right to erasure) 
• Article 18(1)(d) (the right to restrict processing after exercising the right to object) 
• Article 19 (the obligation to notify other parties that a data subject has exercised their rights
• Article 21(1) (the right to object) 
• Article 25 (data protection by design and by default) 

Noyb has called on EU data protection authorities to investigate X on the above grounds and prohibit the company from training its AI model on EU users’ personal data without consent.