Irish regulator wins battle against X’s AI model

The Irish Data Protection Commission (DPC) has obtained an opinion from the Irish High Court confirming its GDPR enforcement activity concerning the training of X’s AI model. 

The DPC has been criticized for its timid approach to data protection enforcement, particularly against US tech companies. But there are signs in the regulator’s dispute with X that its approach might be changing. 

The background: X’s AI model training

Last September, X added a section to its privacy notice telling users it would process users’ personal data to train its AI model, Grok. 

The company began training its AI model on users’ public posts in May. The Irish DPC intervened in August, securing an undertaking from X (obtained by TechCrunch) that it would stop this processing and delete the associated data. 

The High Court opinion means X’s undertaking is legally binding. The case is the first example of the DPC using its powers under the Irish Data Protection Act 2018. 

What did the DPC tell X to do?

In May, following a September 2023 update to its privacy notice, X began using people’s public posts to train its AI model, Grok. 

The company provided an opt-out mechanism, but, according to a complaint to nine data protection authorities by privacy campaign group noyb, X’s opt-out mechanism employed dark patterns and did “everything to ensure that data subjects will not change the default setting.” 

The DPC entered consultation with X following the privacy notice update, alleging that training Grok on public posts represented a risk to people’s fundamental rights and freedoms,  

In an undertaking to the DPC, X reportedly committed to deleting and stopping the processing of public posts and associated metadata “for the purposes of developing, training and/or refining” Grok. 

The DPC applied to the Irish High Court to give X’s undertaking legal effect.  

Last week’s court opinion confirms the DPC’s position, with the judge finding the DPC’s application is appropriately urgent because X had failed to apply “enhanced mitigation measures” to safeguard users when training Grok.  

A change in approach from the Irish DPC?

The Irish regulator is under new leadership, with Commissioners Dale Sunderland and Des Hogan having succeeded Helen Dixon in February. Some privacy campaigners criticized former Commissioner Dixon for her alleged reluctance to enforce the GDPR against tech firms. 

This case suggests there could be a change in enforcement approach from the DPC, for two reasons: 

• It’s the is the first example of the DPC using its powers under Section 134 of the Data Protection Act 2018, which allows the regulator to make an application to the court to urgently protect people’s fundamental rights. 
• The DPC has also requested an urgent opinion from the European Data Protection Board (EDPB) to determine a common position on the “core issues” presented by X’s activities. 

At times, the DPC had a somewhat adversarial relationship under with the EDPB under Commissioner Dixon, who brought legal proceedings against the Board in early 2023 following one of many “Binding Decisions” involving Ireland and Meta. 

This suggests Ireland could be seeking a more collaborative relationship with its fellow EU regulators. For US tech firms, such as X, such a change in approach might be unwelcome.