Just one week after X agreed to halt the processing of European Union user data to train its Grok AI, the company faces a fresh wave of GDPR complaints. The European privacy group Nyob has lodged nine complaints against X with the data protection authorities in Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Spain, and Poland.
The complaints come on the heels of X’s decision to cease the processing of data collected between May 7 and August 1. This action followed an urgent High Court application by the Irish Data Protection Commission (DPC) to stop the practice. This marks the first instance of a lead supervisory authority taking such a step and represents the DPC’s initial use of its powers under Section 134 of the Data Protection Act of 2018.
Des Hogan, the commissioner, emphasized the DPC’s role in protecting data subjects’ rights. “One of our main roles as an independent regulator and rights-based organization is to ensure the best outcome for data subjects. Today’s developments will help us continue protecting the rights and freedoms of X users across the EU and EEA,” he said.
Despite these developments, Nyob finds the DPC’s response lacking. The group has criticized the DPC’s actions as “half-hearted” and claims regulatory focus was misplaced. Nyob argues that the DPC concentrated on mitigation measures and that X initiated data processing while still engaged in a mandatory consultation process, rather than addressing the company’s fundamental violations.
Max Schrems, chairman of Nyob, noted, “The court documents are not public, but from the oral hearing, we understand that the DPC was not questioning the legality of this processing itself. It seems the DPC was concerned with so-called ‘mitigation measures’ and a lack of cooperation by Twitter. The DPC appears to address peripheral issues but avoids confronting the core problem.”
According to Nyob, the central issue is the unauthorized use of personal data from over 60 million users in the EU and EEA to train the Grok AI without obtaining explicit consent. This practice, Nyob argues, breaches numerous GDPR provisions including Articles 5(1), 5(2), 6(1), 9(1), 12(1), 12(2), 13(1), 13(2), 17(1)(c), 18(1)(d), 19, 21(1), and 25.
Schrems criticized the DPC’s past enforcement actions as ineffective. “We have observed numerous instances of inefficient and partial enforcement by the DPC over the years. We want to ensure that X fully complies with EU law, which, at a minimum, requires obtaining user consent in this case,” he said. “Companies that interact directly with users simply need to present a yes/no prompt before using their data. They do this regularly for many other purposes, so it is certainly feasible for AI training as well.”
In response to the ongoing issue, Nyob has requested an “urgency procedure” under Article 66 of the GDPR. This provision allows data protection authorities to impose preliminary halts in urgent situations and facilitates an EU-wide decision through the European Data Protection Board.
The DPC had previously ordered Meta to stop similar data processing for AI training, despite Meta’s claims of justification under “legitimate interest.” X has employed a similar argument for its data practices.
However, Schrems asserts that the current proceedings reveal that the DPC has not adequately addressed the fundamental issue: the collection of personal data without user consent. “The facts emerging from the Irish court proceedings suggest that the DPC has not sufficiently questioned the core issue, which is the acquisition of personal data without user consent,” he stated.
X has been contacted for comment but has not yet responded.
Leave a comment