close
close

X faces GDPR complaints over unauthorized use of data for AI training

X faces GDPR complaints over unauthorized use of data for AI training
Posted on | Posted on Jasper

X faces GDPR complaints over unauthorized use of data for AI training

European data protection watchdog NOYB (None of Your Business) has filed nine GDPR complaints because X uses the personal data of over 60 million users in Europe to train “Grok,” the social media company’s large language model.

According to NOYB, X did not inform its users that their data would be used to train AI, nor did it ask them for their consent to this practice.

NOYB is a European non-profit data protection organisation focused on enforcing digital rights and data protection laws, in particular the GDPR, by filing complaints with the relevant authorities.

The group’s actions previously resulted in fines being imposed on Meta, Amazon, Apple and Google for various GDPR violations.

Grok trained quietly

NOYB claims that Grok used large amounts of personal data of 60 million users in the EU and EEA without appropriate legal basis or user consent, which constitutes a significant breach of GDPR principles.

This lack of transparency in Grok’s training methods was first noticed in late July 2024 by user @EastBakedOven, who discovered the issue while reviewing recent changes to the X account settings.

The specific setting that remains enabled by default is: “Allow Grok to use your contributions, interactions, inputs, and results for training and tuning.”

Tweet

In the setting description, X states that it may use the data mentioned to “fine-tune” Grok and may also share it with its service provider xAI for similar purposes.

Last week, Ireland’s Data Protection Commissioner (DPC) expressed satisfaction with the agreement reached with X, in which it agreed to suspend the processing of personal data until September.

The DPC’s notice states that the unauthorized Grok training took place between May 7 and August 1, 2024.

Commenting on the DPC’s agreement with X, NOYB Chairman Max Schrems stated that the agency had failed to examine the legal aspect of this matter and had instead focused on proposals for implementing remedial measures.

NOYB considered the DPC’s action to be “half-hearted” and therefore decided to file several GDPR complaints for a list of violations of Articles 5(1) and (2), 6(1), 9(1), 12(1) and (2), 13(1) and (2), 17(1)(c), 18(1)(d), 19, 21(1) and 25 of the GDPR, in the hope that this will lead to a comprehensive investigation.

NOYB seeks answers to the question why X did not inform users two months after starting training Grok, what happened to the EU data already included in the training datasets, and how to appropriately separate EU data from non-EU data.

In addition, the organization questions why Twitter still does not ask EU-based users to seek permission to use their data for Grok training, even though this is the only GDPR-compliant method to do so.

BleepingComputer reached out to Twitter for comment on NOYB’s actions and allegations, but we received an automated response saying, “Check back later.”

Leave a Reply

Your email address will not be published. Required fields are marked *