Photo: Bluecat_stock / Shutterstock.com
NOYB, a Vienna-based non-profit, has filed complaints against X’s unlawful data processing of European citizens for its artificial intelligence tool, Grok, between May 7 and August 1, 2024. These complaints have been filed with the data protection commissions in Austria, Belgium, France, Greece, Ireland, Italy, Netherlands, Spain, and Poland.
X, formerly Twitter, has found itself embroiled in controversy following revelations that it has been unlawfully using the personal data of over 60 million European users to train its artificial intelligence (AI) model, Grok, prompting widespread privacy concerns.
After the pressure, X halted the data processing of European citizens. However, its problems are just beginning.
The Irish Data Protection Commission (DPC), often criticised for its lenient stance towards tech giants, has taken the rare step of initiating court proceedings against X. However, the regulator’s actions have been met with scepticism.
While the DPC has moved to halt the illegal data mining and bring X’s systems into compliance with GDPR, the focus appears to be more on procedural issues than on addressing the core violation, X’s failure to obtain user consent.
Unsatisfied with the Irish DPC’s initial response, the privacy advocacy organisation NYOB has escalated the matter by submitting a formal complaint to data protection agencies across nine European nations.
This action aims to prompt a more thorough examination of X’s data handling practices.
“We have seen countless instances of inefficient and partial enforcement by the DPC in recent years. We want to ensure that Twitter fully complies with EU law, which – at a bare minimum – requires to ask users for consent in this case,” said Max Schrems, NOYB Chairman.
The core controversy concerns business interests and users’ fundamental rights. Under GDPR, personal data processing is unlawful unless justified under one of the six legal bases outlined in the regulation. These include situations where:
- The user has given explicit consent to the companies to process the personal data.
- Processing is necessary to fulfil a contract where the user is a party.
- Processing is necessary for legal obligation.
- The data is of vital interest to the individual.
- There is a matter of public interest or in the exercise of official authority.
- The situation is of legitimate interest to the third party except when it overrides the fundamental rights of the citizens.
The sixth point is the bone of contention with the tech giants saying that data processing of European citizens is necessary for the AI models. However, this rationale has already been rejected by the Court of Justice of the European Union as the data mining involves the personal data of citizens.
Furthermore, X’s handling of the situation has also been called into question. Despite having the capability to inform users of significant changes to its data processing practices, the company did not proactively disclose its use of personal data for AI training.
Instead, most users learned of the issue through other means including some tweets on the platform itself months after the data processing had begun.
Given the scale of the potential GDPR violations, NOYB has requested an emergency procedure under Article 66 of the regulation. This provision allows data protection authorities to issue preliminary halts to unlawful processing and to coordinate an EU-wide response through the European Data Protection Board (EDPB).
If found guilty, the EU can fine X up to 4% of its global turnover.
NOYB previously sued Xandr over GDPR compliance, Microsoft for unlawful child tracking, and OpenAI for inaccuracies.
In the News: Former YouTube CEO Susan Wojcicki passes away at 56