X, the social media platform owned by Elon Musk, is facing a series of privacy complaints after it was discovered that the platform had been using the data of European users without their consent to train its AI models. The Irish Data Protection Commission (DPC), which oversees X’s compliance with the General Data Protection Regulation (GDPR), expressed surprise at this revelation.
The GDPR requires all uses of personal data to have a valid legal basis, and the nine complaints against X, filed in multiple European countries, accuse the platform of processing users’ posts to train AI without obtaining their consent. Max Schrems, chairman of privacy rights nonprofit noyb, which is supporting the complaints, emphasized the importance of compliance with EU law and the need for X to ask users for their consent.
The DPC has already taken some action against X, seeking an injunction to stop the platform from using the data for AI training. However, noyb argues that this action is insufficient, as there is currently no way for X users to have their already ingested data deleted. In response, noyb has filed GDPR complaints in Ireland and seven other countries.
The complaints argue that X does not have a valid legal basis for using the data of approximately 60 million EU users without their consent. While X claims to rely on the legal basis of “legitimate interest,” privacy experts argue that obtaining user consent is necessary. Schrems suggests that companies should simply prompt users with a yes/no option before using their data, as they do for other purposes.
This is not the first time that X’s data processing practices have come under scrutiny. In June, the platform paused a similar plan to process user data for AI training after GDPR complaints and regulatory intervention. X’s approach of silently using user data for AI training without informing users allowed it to go unnoticed for several weeks.
Although X eventually introduced an opt-out setting for users to stop the processing, this option was only made available in late July. Prior to that, users had no way to block the processing, making it difficult for them to exercise their rights under the GDPR. The GDPR aims to protect individuals from unexpected uses of their data that could impact their rights and freedoms.
Noyb, in arguing against X’s legal basis, refers to a ruling by Europe’s top court that stated a legitimate interest basis is not valid for certain use-cases and that user consent should be obtained. Noyb also raises concerns about the compliance of generative AI systems with other GDPR requirements, such as the right to be forgotten and the right to access personal data.
Overall, these privacy complaints against X highlight the importance of obtaining user consent and respecting individuals’ rights when processing personal data for AI training. The GDPR serves as a crucial framework for ensuring privacy and data protection in the European Union, and companies must adhere to its requirements to maintain compliance and avoid penalties.