X, formerly known as Twitter, recently made a change that has raised concerns about user data privacy. Users of the platform noticed that their data is being defaulted into the AI training pool for Grok, a conversational AI developed by Elon Musk-owned X. Grok is intended to compete with OpenAI’s ChatGPT, but with a focus on humor and less political correctness.
The move has caught the attention of the Irish Data Protection Commission (DPC), which oversees X’s compliance with the European Union’s General Data Protection Regulation (GDPR). The DPC expressed surprise at X’s decision and has reached out to the company for more information. The GDPR allows for penalties of up to 4% of global annual turnover for confirmed breaches.
The default-enabled Grok data-sharing setting on X states that users’ posts, interactions, inputs, and results with Grok may be used for training and fine-tuning. It also mentions that these data may be shared with the service provider xAI. However, the language used is ambiguous, leaving it unclear whether X is using all user data or only specific interactions for training Grok.
In the European Union, companies must have a valid legal basis for processing user data under privacy laws. It is uncertain whether X has one in this case. Meta, the parent company of Facebook and Instagram, faced similar regulatory scrutiny in Europe when it attempted to repurpose user data for AI training.
The DPC expects further updates on the Grok AI data-sharing issue in the coming week. Despite reaching out to X for clarification on the legal basis for processing European users’ data, the company’s response has been limited to an automated message stating that they are currently busy.
This situation highlights the ongoing challenges surrounding data privacy and the need for companies to adhere to regulations such as the GDPR. Users should be informed about how their data is being used and have the option to opt out if they have concerns about privacy. Regulatory bodies like the DPC play a crucial role in ensuring compliance and holding companies accountable for any breaches.
