The European Union's lead privacy watchdog for X (formerly Twitter) has closed legal proceedings against the social media platform for processing user data to train AI models without their consent, after the company announced it had agreed to permanently abide by commitments it made before an Irish High Court judge last month.
In early August, X agreed to suspend the processing of European users' data for training AI models after the Irish Data Protection Commission (DPC) filed a lawsuit against the Elon Musk-owned company for allegedly using personal data without permission to train its AI chatbot, Grok.
Meta has faced similar regulatory backlash in the EU over the same data protection issues, announcing a “move” on this type of processing in June, meaning Company X is not the only company to have incurred the wrath of regulators for its eagerness to reuse user data as training material for AI models.
“The DPC is pleased to announce the conclusion of the proceedings it brought in the Irish High Court on 8 August 2024,” the DPC said in a press release on Wednesday. “The matter was resubmitted to the court this morning and, having agreed that X will continue to comply with the conditions of the undertaking (the statement issued by the DPC on 8 August 2024) in perpetuity, the proceedings have been dismissed.”
Commenting on the case's conclusion in a statement, Commissioner (Chair) Des Hogan added: “The DPC welcomes today's outcome which protects the rights of EU/EEA citizens. This action further demonstrates the DPC's commitment to working with peer regulators in Europe to take appropriate action where necessary. We thank the Court for considering the case.”
The exact terms of Company X's (now permanent) contract with DPC have not been made public*, but we suspect the agreement limits how Company X can use people's data. We have asked DPC to confirm the terms of the contract and will update this article if we receive more information.
Company X was also approached for comment about its arrangement with DPC, but had not responded at the time of writing.
The platform previously slammed the Irish regulator through its Global Government Affairs account: In an August 7 post about X, the company described the DPC's actions as “deeply disturbing” and accused it of targeting X “without any basis.”
But the EU's General Data Protection Regulation (GDPR) sets out rules on how personal data should be processed, including strict requirements that there must be a valid legal basis for processing people's information, and X quickly faced a flood of GDPR complaints for using people's data for Grok training without asking for permission.
Why is Company X backing away from the fight now? A confirmed GDPR violation could result in sanctions of up to 4% of annual global turnover. And it's notable that Company X has not been fined for practices that the DPC deemed serious enough to warrant a court order to stop.
Company X may choose to pick its battles a little more carefully — after all, Musk is currently busy with high-profile legal and regulatory battles.
Asked to comment on the outcome of the DPC's case against X, Max Schrems, a European privacy rights campaigner whose non-profit organisation (noyb) has supported GDPR complaints against X and other companies over AI training issues, told TechCrunch: “Essentially, Twitter has avoided fines despite flagrant breaches of the law, data already captured in Grok AI has not been removed and Twitter continues to offer products based on illegally obtained data.”
Schrems also confirmed that Neub has no intention of dropping its complaint in the matter. “We will continue to lodge a complaint, but this should be properly decided by the DPC shortly, without any backroom deals,” he added.
The DPC also announced on Wednesday that it had requested an opinion from the European Data Protection Board (EDPB) on what it described as wider issues arising from the use of personal data in AI models across the industry, saying it hoped the GDPR governing body would produce guidance that could bring “much-needed clarity to this complex area.”
“The Opinion asks the EDPB to consider, inter alia, the relevant issues of the extent to which personal data are processed at different stages in the training and operation of AI models (including both first-party and third-party data) and what special considerations may arise in relation to the assessment of the lawful bases on which data controllers rely for that processing,” the DPC wrote.
DPC Commissioner Dale Sunderland commented in a separate statement of support: “The DPC hopes that this opinion will result in proactive, effective and consistent regulation across Europe in this area more broadly. It will also support the handling of the large number of complaints that have been submitted or sent to the DPC in relation to various data controllers for purposes relating to the training and development of a range of AI models.”
Previously, the regulator had sought guidance from the EDPB on how to apply GDPR to OpenAI's ChatGPT, an AI chatbot that is a rival to X's Grok, resulting in a preliminary report published in May that left core legal issues, such as the lawfulness and fairness of the processing, unresolved.
Update: *TechCrunch has obtained a copy of the contract between X and DPC regarding data for AI training. Here is the full text:
“Twitter International Unlimited Company undertakes, without prejudice to its position in litigation, that any personal data contained in EU/EEA public posts created and/or posted on the “X” social media platform (the “Platform”) by EU/EEA users and/or contained or included in metadata relating to such posts, as well as any personal data contained in datasets used for the purposes of developing, training and/or improving the Platform's enhanced search services or tools under the name “Grok” between 7 May 2024 and 1 August 2024, will be deleted and not processed again for the purposes of developing, training and/or improving the aforementioned Grok (within the meaning of Article 4(2) GDPR).”