Earlier this week, the European Union’s primary privacy regulator brought a temporary halt to its legal proceedings against X (formerly known as Twitter) regarding the platform’s use of user data for AI training. However, this doesn’t mean the storm has passed for Elon Musk’s social media platform. The Irish Data Protection Commission (DPC), which leads privacy enforcement in the EU, has confirmed that it has received several complaints under the General Data Protection Regulation (GDPR) and will thoroughly investigate them.
“The DPC will now examine the extent to which any processing that has taken place complies with the relevant provisions of the GDPR,”. “If, further to that examination, it is established that TUIC [Twitter International Unlimited Company, as X’s main Irish subsidiary is still known] has infringed the GDPR, the DPC will then consider whether the exercise of any of its corrective powers is warranted and, if so, which one(s).”
The Agreement and the Loophole
In early August, X agreed to suspend its data processing for Grok’s AI training. This suspension has since become a permanent commitment, preventing X from using the data of European users collected between May 7, 2024, and August 1, 2024, for AI training purposes. However, a crucial detail has emerged: while X is required to cease using this data, there is no mandate for the company to delete any AI models that were trained using it. This loophole could potentially allow X to retain the benefits derived from the unlawfully processed data while avoiding immediate sanctions.
Despite the DPC’s urgent court action to halt the data collection, X has yet to face any penalties for using Europeans’ personal data without consent to train Grok. Under GDPR, the penalties for such violations can be severe, reaching up to 4% of global annual turnover. Given X’s current financial struggles—where revenue projections suggest a potential drop to $500 million this year—a hefty fine could hit the company hard.
Regulators also have the power to demand operational changes, including ordering that infringing practices cease entirely. However, these complaints often take years to investigate and enforce, leaving the door open for X to continue operating AI models trained on non-consensual data in the interim.
A Neat Circumvention?
Critics might argue that X, and others engaging in similar practices, could be exploiting a loophole in the GDPR. The process is straightforward: first, quietly collect and use personal data to train AI models. Then, when caught, agree to delete the data itself while keeping the AI models intact. The result? A potentially profitable AI tool, such as Grok, remains in operation without the need to retrain the models, despite the questionable legality of the data collection process.
When asked whether the DPC’s agreement required X to delete any AI models trained on Europeans’ data, the regulator confirmed that it did not. The agreement only required TUIC to permanently stop processing the datasets in question. This leaves a significant grey area: while the data must be deleted, the AI models that benefited from it do not.
The AI Conundrum and Regulatory Uncertainty
The risks associated with this approach are not insignificant. Generative AI tools are known to produce false information, and Musk’s version, which he describes as “anti-woke,” could amplify concerns about the types of content produced by Grok, especially when trained on data without user consent. The potential for harm is real, and it raises pressing questions about the protection of European citizens’ rights.
One reason the Irish regulator might be treading carefully is the novelty of AI tools like Grok. European privacy watchdogs are still grappling with how to apply the GDPR to these emerging technologies. Additionally, it remains unclear whether GDPR powers extend to ordering the deletion of AI models trained on unlawfully processed data. As complaints continue to pile up, however, data protection authorities will eventually have to confront the challenges posed by generative AI.
More Trouble on the Horizon: The Departure of Nick Pickles
In a related development, X’s head of global affairs, Nick Pickles, announced his departure from the company. According to Reuters, Pickles, a U.K. national who spent a decade at Twitter and rose through the ranks under Musk’s leadership, claimed in a post on X that he decided to leave “several months ago,” though he did not elaborate on his reasons.
Pickles’ departure comes at a tumultuous time for X, which is dealing with a ban in Brazil, political backlash in the U.K. over its role in spreading disinformation, and ongoing investigations in the EU under the bloc’s content moderation framework. The company is also facing a first batch of grievances under the Digital Services Act, with Musk himself recently receiving a personal warning from the EU’s internal markets commissioner, Thierry Breton. True to form, Musk responded to the warning with an insulting meme.
What’s Next for X and European Regulators?
As X navigates these choppy waters, the company’s future in Europe remains uncertain. The DPC’s investigation could lead to significant penalties and force X to make further operational changes. Meanwhile, the broader question of how to regulate AI tools like Grok will likely take center stage in the ongoing debate over privacy and data protection in the digital age.
The European regulatory saga surrounding X and its AI ambitions is far from over. With complaints piling up and the potential for stiff penalties, this story is one to watch closely in the months and years ahead. Will X emerge unscathed, or will the weight of European regulation finally bring it to heel? Only time will tell.
