Elon Musk might think he has scored a major victory against the ad industry after X’s legal action has led to the demise of the Global Alliance for Responsible Media but he now faces a much tougher opponent in the form of privacy campaigner Max Schrems, who has rifled off a barrage of complaints over X’s data protection record.
The move follows claims that X has been unlawfully using the personal data of more than 60 million users in the EU/EEA since May 2024 without their consent to train its AI technologies like “Grok”.
Unlike Meta – which was recently forced to stop AI training in the EU – X did not even inform its users in advance, with the Irish Data Protection Commission last week launching court proceedings against the company to stop the illegal processing.
However, privacy organisation NOYB, which is backed by Schrems, claims that a court hearing last Thursday revealed that the Irish DPC is mainly concerned with so-called “mitigation” measures and the fact that X started processing while still being in a mandatory consultation process with the regulator under Article 36 of GDPR.
NOYB maintains that the Irish DPC has not gone for the core violations and has now filed GDPR complaints with the data protection authorities in nine countries, to ensure that the core legal problems around X AI training are fully addressed.
The organisation argues that the more EU data protection authorities get involved in the proceedings, the greater the pressure on the Irish DPC to follow through with its case and on X to actually comply with EU law.
Schrems said: “The court documents are not public, but from the oral hearing we understand that the Irish DPC was not questioning the legality of this processing itself. It seems the regulator was more concerned with so-called ‘mitigation measures’ and a lack of cooperation by X. The Irish DPC seems to take action around the edges, but shies away from the core problem.”
During the first hearing, the Irish DPC has settled with X to pause further training of the algorithm with EU data until September. Even so, NOYB says no determination on the legality was made and many questions remain unanswered.
For example, it questions what has happened with EU data that was already ingested in the systems and how can X separate EU and non-EU data.
NOYB believes X has breached a number of other GDPR provisions, including GDPR principles, transparency rules and operational rules. Overall, its complaints list violations of at least Articles 5(1) and (2), 6(1), 9(1), 12(1) and (2), 13(1) and (2), 17(1)(c), 18(1)(d), 19, 21(1) and 25.
Schrems concluded: “We have seen countless instances if inefficient and partial enforcement by the Irish DPC in the past years. We want to ensure that X fully complies with EU law, which – at a bare minimum – requires to ask users for consent in this case.
“Companies that interact directly with users simply need to show them a yes/no prompt before using their data. They do this regularly for lots of other things, so it would definitely be possible for AI training as well.”
Related stories
Mass GDPR complaints force Meta to pause AI data grab
Meta’s mega AI data grab sparks mass GDPR complaint
Germans back fight against ChatGPT data inaccuracies
Industry in peril as Schrems declares war on ChatGPT
Brussels blows ‘pay or consent’ models out of the water
Meta hit by double whammy over ‘illegal’ data practices
Meta ad-free service faces data protection showdown