The Irish Data Protection Commission (DPC) has concluded its legal proceedings against X (formerly Twitter) regarding the use of European users' data to train artificial intelligence models without their consent. This resolution came after the company, owned by Elon Musk, agreed to permanently uphold a commitment made previously before a judge in Ireland's High Court.
X's agreement, signed in early August, involves suspending the processing of European users' personal data to train its AI chatbot, Grok. The DPC had launched legal action against the platform due to the lack of consent for using the data in AI model training.
Context of the Conflict
X is not the only tech company under scrutiny by European regulators. Meta, for example, faced similar pressure and paused this type of data processing in June. This scrutiny by the European Union stems from the General Data Protection Regulation (GDPR), which sets clear rules on the use of personal data, including the requirement for a valid legal basis for its processing.
The dispute with the DPC escalated when X, through its Global Government Affairs account, described the regulator's actions as "deeply troubling" and claimed it was being unfairly singled out. However, the GDPR clearly mandates obtaining users' consent before processing their data, and X has faced numerous complaints for using people's information without authorization.
Resolution Without Economic Penalty
Despite the seriousness of the violation, which could have resulted in sanctions of up to 4% of the company’s global annual revenue, X has not been fined so far. The company has committed to permanently halting the processing of European users' data to train its AI. Although the exact content of the agreement between X and the DPC has not been disclosed, it is assumed that it limits the use of personal data.
Max Schrems, privacy rights activist and founder of the organization noyb, expressed concern about the lack of financial penalties. Schrems criticized that, despite a clear violation of the law, X had avoided a fine and could continue using the data it had previously collected. He also confirmed that his organization would maintain the complaints filed against X to ensure the DPC resolves the issue properly.
Regulatory Impact on the Tech Industry
The DPC has requested that the European Data Protection Board (EDPB) issue an opinion on the use of personal data in industrial AI models. The goal is to provide more clarity on how GDPR regulations should be applied in this context. The DPC seeks to establish more uniform and effective regulations across Europe for the use of data in AI development.
The case of X highlights growing tensions between big tech companies and European regulators, especially regarding privacy and data processing in the AI era. Decisions made in this area could have significant implications for other platforms seeking to leverage user data to develop and train their own AI technologies.