The lead privacy watchdog for X (formerly Twitter) in the European Union has ended court proceedings against the social media platform for processing user data for AI model training without people’s consent. This comes after it said the company had agreed to permanently abide by an undertaking made last month in front of an Irish High Court judge.
X agreed to suspend its processing of European users’ data for AI model training in early August after Ireland’s Data Protection Commission (DPC) initiated legal action against the Elon Musk-owned company in relation to consentless use of people’s information to train its AI chatbot, Grok.
Meta has faced similar regulatory pushback in the EU over the same data protection issue and announced its own “pause” in this type of processing back in June. So X is not alone in having attracted regulatory ire over its scramble to repurpose user data as AI model training fodder.
“The DPC is pleased to announce the conclusion of the proceedings it brought before the Irish High Court on August 8, 2024,” the DPC wrote Wednesday in a press release. “The matter was back before the Court this morning and the proceedings have been struck-out on the basis of X’s agreement to continue to adhere to the terms of the undertaking (DPC Statement issued 08 Aug 24) on a permanent basis.”
Commenting on the legal action’s conclusion in a statement, commissioner (chairperson) Des Hogan added: “The DPC welcomes today’s outcome which protects the rights of EU/EEA citizens. This action further demonstrates the DPC’s commitment to taking appropriate action where necessary, in conjunction with its European peer regulators. We are grateful for the Court’s consideration of the matter.”
The exact contents of X’s (now permanent) undertaking with the DPC have not been made public*, but it’s assumed the agreement limits how it can use people’s data. We’ve asked the DPC to confirm the substance of the undertaking and will update this story if it provides this information.
X was also contacted for comment on its arrangement with the DPC, but as of the time of writing, it had not provided a statement.
The platform previously lashed out at the Irish regulator via a Global Government Affairs account. In an August 7 post on X the company described the DPC’s actions as “deeply troubling,” accusing it of singling out X “without any justification.”
However the EU’s General Data Protection Regulation (GDPR) sets out rules for how personal data can be processed, including a hard requirement to have a valid legal basis to do things with people’s information. And X has quickly faced a raft of GDPR complaints for helping itself to people’s data for Grok training without asking their permission.
Why might X be stepping away from this fight now? Confirmed violations of the GDPR can lead to sanctions of up to 4% of global annual turnover. And it’s notable that there’s been no fine for X in relation to processing that the DPC thought was serious enough for a court injunction to stop it.
It’s also possible X may be opting to pick its battles a little more carefully. After all, Musk has a bunch of high-profile legal fights and regulatory tussles to keep him busy right now.
Reached for comment on the outcome of the DPC’s court proceeding against X, Max Schrems — the European privacy rights campaigner whose nonprofit (noyb) has supported GDPR complaints against X and others over the AI training issue — told TechCrunch: “Basically Twitter got away without any fine, despite a flagrant violation of the law. Data already ingested for ‘Grok AI’ will also not be deleted, and Twitter continues to offer the product based on unlawfully obtained data.”
Schrems also confirmed noyb will not withdraw its complaints on this issue. “We continue to maintain our complaints, which will have to be properly decided by the DPC soon, without backroom deals,” he added.
On Wednesday, the DPC also announced it’s made a request to the European Data Protection Board (EDPB) for an opinion in relation to what it couches as broader issues arising from the use of personal data in AI models across industry, saying it wants the GDPR steering body to produce guidance that can bring “some much needed clarity into this complex area.”
“The opinion invites the EDPB to consider, amongst other things, the extent to which personal data is processed at various stages of the training and operation of an AI model, including both first party and third party data and the related question of what particular considerations arise, in relation to the assessment of the legal basis being relied upon by the data controller to ground that processing,” the DPC wrote.
Commenting in another supporting statement, DPC commissioner Dale Sunderland added: “The DPC hopes that the resulting opinion will enable proactive, effective and consistent Europe-wide regulation of this area more broadly. It will also support the handling of a number of complaints that have been lodged with/transmitted to the DPC in relation to a range of different data controllers, for purposes connected with the training and development of various AI models.”
An earlier request by regulators for EDPB guidance on how to apply the GDPR around OpenAI’s ChatGPT — a rival AI chatbot to X’s Grok — yielded a preliminary report, published in May, that left crux legal issues such as the lawfulness and fairness of processing undecided.
Update: *TechCrunch has now obtained a copy of the undertaking between X and the DPC regarding data for training AI. Here it is in full:
“Without prejudice to its position in the proceedings, Twitter International Unlimited Company, undertakes that personal data comprised in EU/EEA publicly accessible posts made and/or posted on the ‘X’ social media platform (the ‘Platform’) by EU/EEA users and/or is contained or comprised in metadata related to such posts and which is contained in datasets which were used for the purposes of developing, training and/or refining the enhanced search service or tool of the Platform under the name ‘Grok’ between May 7, 2024 and August 1, 2024, shall be deleted and not processed (within the meaning of Article 4 (2) of the GDPR) for the aforementioned purposes of developing, training and/or refining Grok.”
