Earlier this week, the EU’s lead privacy regulator ended its court proceeding related to how X processed user data to train its Grok AI chatbot, but the saga isn’t over yet for the Elon Musk-owned social media platform formerly known as Twitter. The Irish Data Protection Commission (DPC) has confirmed to TechCrunch that it’s received — and will “examine” — a number of complaints that have been filed under the bloc’s General Data Protection Regulation (GDPR).
“The DPC will now examine the extent to which any processing that has taken place complies with the relevant provisions of the GDPR,” the regulator told TechCrunch. “If, further to that examination, it is established that TUIC [Twitter International Unlimited Company, as X’s main Irish subsidiary is still known] has infringed the GDPR, the DPC will then consider whether the exercise of any of its corrective powers is warranted and, if so, which one(s).”
X agreed to suspend data processing for Grok training in early August. The undertaking X made to it was then made permanent earlier this week. That agreement committed X to delete and stop using Europeans users’ data to train its AIs which it had collected between between May 7, 2024 and August 1, 2024, according to a copy TechCrunch obtained. But it’s now clear there is no requirement on X to delete any AI models trained on the data.
So far, X hasn’t faced any sanction from the DPC for processing the personal data of Europeans to train Grok without people’s consent — despite the DPC’s urgent court action to block data collection. Penalties under the GDPR can be stiff, reaching up to 4% of global annual turnover. (Given that the company’s revenues are now in freefall, and could well scramble to hit $500 million this year based on reported quarterly figures, that might sting especially badly.)
Regulators are also empowered to order operational changes by demanding that infringement ceases. But complaints may take a long time — even up to several years — to investigate and enforce.
This is important because although X has been forced to stop helping itself to Europeans’ data to train Grok, it is still able to operate any AI models it’s already trained on the data of people who did not consent to the use — with no urgent intervention nor sanction to stop this happening as yet.
Asked whether the undertaking the DPC obtained from X last month required X to delete any AI models trained on Europeans’ data, the DPC confirmed to us it does not: “The undertaking does not require TUIC to carry out this action; it required TUIC to permanently cease the processing of the datasets covered by the undertaking,” a spokesperson said.
Some might say this is a neat way for X (or others training models) to circumvent the EU’s privacy rules: Step 1) Quietly help yourself to people’s data; Step 2) use it to train AI models and — when the cat’s out of the bag and regulators’ finally come knocking — commit to deleting *the data*, leaving your trained AI models intact. Step 3) Grok-based profit!?
Asked about this risk, the DPC responded by saying the purpose of its urgent court proceeding had been to act on “significant concerns” that X’s processing of EU and EEA users’ data to train Grok “gave rise to risk for the fundamental rights and freedoms of data subjects”. But it did not explain why it does not have the same pressing concern about risks to Europeans’ fundamental rights and freedoms from having their information embedded into Grok.
Generative AI tools are known to produce false information. Musk’s twist on the category is also intentionally irreverent — or “anti-woke” as he dubs it. That could amp up the risks about the types of content it may produce about users whose data was ingested to train the bot.
One reason the Irish regulator may be more cautious about how to deal with this issue is these AI tools are still relatively new. There’s also uncertainty among European privacy watchdogs how to enforce the GDPR against such a novel technology. Plus, it’s not clear whether the regulation’s powers would extend to being able to order AI model deletion if a technology has been trained on unlawfully processed data.
But as complaints continue to stack up in this area, data protection authorities will have to grasp the generative AI nettle sooner or later.
Going sour on Pickles
In separate X news Friday, it emerged X’s head of global affairs is out. Reuters reported the departure of long serving staffer, Nick Pickles, a U.K. national who spent a decade at Twitter, rising further up the ranks during Musk’s tenure.
In a post on X, Pickles claimed he made the decision to leave “several months ago” but does not elaborate on his reasons for leaving.
However it’s clear the company has a lot on its plate — including dealing with a ban in Brazil; and political blowback in the U.K. over its role in spreading disinformation linked to rioting in the country last month, with Musk’s personal penchant for pouring fuel on the fire (including posting on X to suggest that for the UK “civil war is inevitable”).
In the EU, X is also under investigation under the bloc’s content moderation framework. A first batch of Digital Services Act grievances were laid out in July. Musk was also recently singled out for a personal warning in an open letter penned by the bloc’s internal markets commissioner, Thierry Breton — to which the chaos-loving billionaire opted to respond with an insulting meme.