Despite the conclusion of the Irish Data Protection Commission’s (DPC) court proceedings against social media platform X, questions about its Artificial Intelligence (AI) data practices and compliance with EU data protection laws remain.
Court proceedings by the Irish DPC against X ended on 4 September, after the company agreed to permanently stop processing some personal data for training its AI tool, Grok. The tool, developed by Musk’s company xAI, is used as a search assistant for premium accounts.
The Irish DPC had filed a case in Ireland’s High Court against X for alleged violations of the EU’s General Data Protection Regulation (GDPR), seeking a halt or restriction on X’s processing of user data for AI training.
However, the agreement does not fully address how the measures will be implemented.
“The DPC has not really questioned the core issue, which is taking all that personal data without user consent,” said Max Schrems, chairman of the NGO Noyb, the European Center for Digital Rights. Noyb filed nine data protection complaints against X in August after an interim agreement between X and the DPC to stop the processing of some EU user data.
The DPC told Euractiv it received complaints about X and will review its GDPR compliance, determining corrective actions if needed.
A European Data Protection Board (EDPB) press officer also confirmed to Euractiv last week that they had received the request for an opinion from the Irish DPC.
X did not respond to Euractiv’s inquiries.
Data controller and processor
One key question is what company is processing the data and whether the agreement by Ireland-based Twitter Unlimited International Company (TUIC) not to use certain datasets is enough. The other entity involved is US-based xAI Corp., according to Grok’s terms of service.
Under the GDPR, the roles of data controllers and processors depend on who determines the purpose and means of data processing and who executes it.
TUIC, which was the party in the legal proceedings with the Irish DPC, could be the controller if it decides how the data is used. Conversely, xAI Corp. could be the processor if it processes the data for TUIC. If both TUIC and xAI Corp. make decisions about the data, they could be joint controllers.
If both TUIC and xAI Corp. are data controllers, then halting data processing by TUIC alone will not be effective, said Danny Mekić, a PhD candidate at Leiden University.
Mekić, who was shadowbanned by X for exposing the European Commission’s microtargeting practices and later won a court ruling against X for GDPR and Digital Services Act (DSA) violations, said that both companies’ roles must be addressed to ensure complete compliance.
However, the DPC stated it was “not necessary for the DPC to examine” this issue.
The authority focused on TIUC as the data controller to address risks to data subjects’ rights rather than to punish TIUC or formally prove violations, it said.
Deleting data
X has not clarified how it will stop processing the data, which is challenging given the complexities of large language models.
The agreement involves data collected between 7 May and 1 August from EU/EEA users.
The datasets included in the undertaking have been deleted and can no longer be processed, the DPC said.
However, “deleting the data does not erase its imprint on the trained AI models,” wrote Marco Scialdone, a lawyer and adjunct professor at the European University of Rome, in a LinkedIn post.
Scialdone, who filed a GDPR complaint before the DPC court proceedings against X on behalf of consumer organisations, argued for “algorithmic disgorgement”. This involves retraining or deleting AI models influenced by the deleted data.
Legal basis
This case also raises questions about the legal basis of the ‘legitimate interest’ of X’s data processing, similar to Meta’s AI training using EU users’ data.
The legal basis of ‘legitimate interest’ allows companies to process data without explicit consent, provided it does not override user privacy rights. However, its adequacy in this context remains questionable.
Schrems said the DPC did not question the legality of the data processing itself; instead, the focus was on mitigation measures, like halting further data processing and X’s cooperation.
“The DPC seems to take action around the edges, but shies away from the core problem,” the activist said.
Théophane Hartmann contributed to the reporting.
[Edited by Eliza Gkritsi/Martina Monti]
.jpg?height=635&t=1726230184&width=1200 "How to ensure security without compromising privacy")
