X’s use of European user data for Grok may have breached the GDPR

Elon Musk’s social media giant X is currently being investigated by an EU data watchdog after it was accused of using the data of European users to train its large language models (LLMs).

The Irish Data Protection Authority (DPA) has said X used public posts from European users to train Grok, meaning EU citizen data was collected and processed, which is against the General Data Protection Regulation (GDPR).

The DPA is referring to a change made on 7 May 2024 by X, which saw it process the personal data of its users, including European citizens. While X introduced an opt-out option for the feature, it was enabled by default.

You’re out of free articles for this month

Username or Email

Password Forgot password?

Keep me signed in on this device.

First Name

Last Name

Mobile

Organisation Type

By becoming a member, I agree to receive information and promotional messages from Cyber Daily. I can opt out of these communications at any time. For more information, please visit our Privacy Statement.

Need help signing up? Visit the Help Centre.

Questioning if this was a violation of the GDPR, the DPA filed a lawsuit against X in the Irish High Court. X responded by halting the processing of European user data.

“The DPC welcomes today’s outcome, which protects the rights of EU/EEA citizens. This action further demonstrates the DPC’s commitment to taking appropriate action, where necessary, in conjunction with its European peer regulators. We are grateful for the court’s consideration of the matter,” said Des Hogan, DPS commissioner.

Now, the EU Data Protection Commission (DPC) is investigating whether X’s actions breached the GDPR.

“The [DPC] has today announced the commencement of an inquiry into the processing of personal data comprised in publicly accessible posts posted on the ‘X’ social media platform by EU/EEA users, for the purposes of training generative artificial intelligence models, in particular the Grok large language models (LLMs),” said the DPC.

VIEW ALL

“The inquiry will examine compliance with a range of key provisions of the GDPR, including with regard to the lawfulness and transparency of the processing.

“Like other modern LLMs, the Grok LLMs have been developed and trained on a wide variety of data. This inquiry considers a range of issues concerning the use of a subset of this data, which was controlled by XIUC [X, ed.] – namely personal data comprised in publicly accessible posts posted on the ‘X’ social media platform by EU/EEA users.

“The purpose of this inquiry is to determine whether this personal data was lawfully processed in order to train the Grok LLMs.”

If X is found to have breached the GDPR, DPC can impose penalties of €20 million, or 4 per cent of the company’s total annual revenue in severe cases.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

You need to be a member to post comments. Become a member for free today!

newsletter

Be the first to hear the latest developments in the cyber industry.

X’s use of European user data for Grok may have breached the GDPR

Daniel Croft

OUR PLATFORMS AND BRANDS

EVENTS AND SUMMITS

PODCASTS

LEARNING AND EDUCATION

MOMENTUM MARKETS NETWORK

LINKS

STAY CONNECTED