X Faces Potential EU Sanctions Over Grok AI Training Despite Irish Court Case Dismissal

Elon Musk's X could still face sanctions for training Grok on Europeans' data

Earlier this week, the EU's lead privacy regulator ended its court proceeding related to how X processed user data to train its Grok AI chatbot, but the saga isn't over yet for the Elon Musk-owned social media platform formerly known as Twitter. The Irish Data Protection Commission (DPC) has confirmed to TechCrunch that it's received -- and will "examine" -- a number of complaints that have been filed under the bloc's General Data Protection Regulation (GDPR). "The DPC will now examine the extent to which any processing that has taken place complies with the relevant provisions of the GDPR," the regulator told TechCrunch. "If, further to that examination, it is established that TUIC [Twitter International Unlimited Company, as X's main Irish subsidiary is still known] has infringed the GDPR, the DPC will then consider whether the exercise of any of its corrective powers is warranted and, if so, which one(s)." X agreed to suspend data processing for Grok training in early August. The undertaking X made to it was then made permanent earlier this week. That agreement committed X to delete and stop using Europeans users' data to train its AIs which it had collected between between May 7, 2024 and August 1, 2024, according to a copy TechCrunch obtained. But it's now clear there is no requirement on X to delete any AI models trained on the data. So far, X hasn't faced any sanction from the DPC for processing the personal data of Europeans to train Grok without people's consent -- despite the DPC's urgent court action to block data collection. Penalties under the GDPR can be stiff, reaching up to 4% of global annual turnover. (Given that the company's revenues are now in freefall, and could well scramble to hit $500 million this year based on reported quarterly figures, that might sting especially badly.) Regulators are also empowered to order operational changes by demanding that infringement ceases. But complaints may take a long time -- even up to several years -- to investigate and enforce. This is important because although X has been forced to stop helping itself to Europeans' data to train Grok, it is still able to operate any AI models it's already trained on the data of people who did not consent to the use -- with no urgent intervention nor sanction to stop this happening as yet. Asked whether the undertaking the DPC obtained from X last month required X to delete any AI models trained on Europeans' data, the DPC confirmed to us it does not: "The undertaking does not require TUIC to carry out this action; it required TUIC to permanently cease the processing of the datasets covered by the undertaking," a spokesperson said. Some might say this is a neat way for X (or others training models) to circumvent the EU's privacy rules: Step 1) Quietly help yourself to people's data; Step 2) use it to train AI models and -- when the cat's out of the bag and regulators' finally come knocking -- commit to deleting *the data*, leaving your trained AI models intact. Step 3) Grok-based profit!? Asked about this risk, the DPC responded by saying the purpose of its urgent court proceeding had been to act on "significant concerns" that X's processing of EU and EEA users' data to train Grok "gave rise to risk for the fundamental rights and freedoms of data subjects". But it did not explain why it does not have the same pressing concern about risks to Europeans' fundamental rights and freedoms from having their information embedded into Grok. Generative AI tools are known to produce false information. Musk's twist on the category is also intentionally irreverent -- or "anti-woke" as he dubs it. That could amp up the risks about the types of content it may produce about users whose data was ingested to train the bot. One reason the Irish regulator may be more cautious about how to deal with this issue is these AI tools are still relatively new. There's also uncertainty among European privacy watchdogs how to enforce the GDPR against such a novel technology. Plus, it's not clear whether the regulation's powers would extend to being able to order AI model deletion if a technology has been trained on unlawfully processed data. In separate X news Friday, it emerged X's head of global affairs is out. Reuters reported the departure of long serving staffer, Nick Pickles, a U.K. national who spent a decade at Twitter, rising further up the ranks during Musk's tenure. In a post on X, Pickles claimed he made the decision to leave "several months ago" but does not elaborate on his reasons for leaving. However it's clear the company has a lot on its plate -- including dealing with a ban in Brazil; and political blowback in the U.K. over its role in spreading disinformation linked to rioting in the country last month. with Musk's personal penchant for pouring fuel on the fire (including posting on X to suggest that for the UK "civil war is inevitable"). In the EU, X is also under investigation under the bloc's content moderation framework. A first batch of Digital Services Act grievances were laid out in July. Musk was also recently singled out for a personal warning in an open letter penned by the bloc's internal markets commissioner, Thierry Breton -- to which the chaos-loving billionaire opted to respond with an insulting meme.

X won't use EU tweets to train Grok AI model, Irish regulators say

Irish court proceedings have been dropped against the social media platform X, regulators said. The Irish Data Protection Commission (DPC) said this week that court proceedings against the social media platform X have ended as the company agreed to permanently suspend personal data collection for EU users to train its artificial intelligence (AI). Social media company X changed its privacy settings in July so EU users had to opt out of having xAI use their public posts to train Grok, Elon Musk's new AI model. The DPC filed an emergency request to the Irish High Court about the changes because they believed privacy rights were being violated. The DPC complaint asked X to suspend the processing of the data that had been collected between May 7 and August 1, 2024 for AI training. On August 8, the regulator said X agreed to suspend its data processing to train AI. In a statement, the DPC "welcomed" the outcome with X, saying that it "protects the rights of EU citizens". Grok is X's answer to ChatGPT and "answers almost any user question with a touch of wit and humour, while also providing helpful and insightful responses". However, this isn't the end of the issue between the DPC and X, who is now asking the European Data Protection Board (EDPB), the EU body in charge of enforcing the bloc's privacy laws, to decide whether the platform did breach any. Dale Sutherland, Ireland's data commissioner, said in a statement that he wants the EDPB to consider a "proactive, effective and consistent Europe-wide regulation," about AI companies using social media posts to train their models. This is the latest setback for Elon Musk and his two companies, X and xAI, the company behind Grok. The European Centre for Digital Rights (monikered "none of your business") launched another nine complaints in August against xAI for allegedly breaching 16 articles of the EU's privacy laws. Euronews reached out to X and xAI but did not receive an immediate reply. In an August 8 post from their Global Governance Affairs team, X called the DPC's order "unwarranted, overboard and singles out X without any justification". "While many companies continue to scrape the web to train AI models with no regards for user privacy, X has done everything it can to give users more control over their data," it continued. X said in August they would challenge the DPC's initial complaint with "all available avenues," but it's not clear what option, if any, it has chosen. The EDPB has one month to adopt a decision by a two-thirds majority from a case's referral date, according to their website. X could be fined up to 4 per cent of global income to a maximum of €20 million or a permanent ban on data collection if the EDPB finds they have violated the EU's privacy laws.