X faces GDPR complaints for unauthorized use of data for AI training

European privacy advocate NOYB (None of Your Business) has filed nine GDPR complaints about X using the personal data from over 60 million users in Europe to train "Grok," the social media company's large language model.

According to NOYB, X did not inform its users that their data was being used to train AI and did not ask for their consent to the practice.

NOYB is a European non-profit privacy advocacy organization focused on enforcing digital rights and data protection laws, particularly GDPR, which it achieves by filing related complaints to the applicable authorities.

The group's actions have previously led to fines imposed on Meta, Amazon, Apple, and Google for various GDPR violations.

Grok trained quietly

NOYB alleges that Grok used vast amounts of personal data of 60 million users in the EU and EEA without proper legal basis or user consent, which significantly violates GDPR principles.

This lack of transparency in Grok's training methods was first noticed in late July 2024 by user @EastBakedOven, who discovered the issue while scrutinizing recent changes on X account settings.

The particular setting, which remains ticked by default, reads: "Allow your posts, as well as your interactions, inputs, and results with Grok, to be used for training and fine-tuning."

In the setting's description, X states that it may use the data mentioned to "fine-tune" Grok and may also share it with its service provider, xAI, for similar purposes.

Last week, Ireland's Data Protection Commissioner (DPC) expressed satisfaction with the agreement it reached with X, where the latter agreed to suspend the processing of personal data until September.

The DPC announcement notes that the unauthorized Grok training took place between May 7 and August 1, 2024.

Commenting on the DPC's agreement with X, NOYB's chairman, Max Schrems, stated that the agency failed to investigate the legal aspect of this matter and instead focused on proposals for implementing mitigation measures.

Finding DPC's action "half-hearted," NOYB decided to file multiple GDPR complaints for a list of violations pertinent to GDPR's Articles 5(1) and (2), 6(1), 9(1), 12(1) and (2), 13(1) and (2), 17(1)(c), 18(1)(d), 19, 21(1) and 25, hoping that this will prompt a full investigation.

NOYB seeks answers on why X did not inform users about Grok's training two months after it had started, what happened to EU data already ingested on the training datasets, and how it can adequately separate EU from non-EU data.

Additionally, the organization questions why Twitter is still not prompting EU-based users to gain permission to use their data for training Grok, which is the only designated GDPR-compliant method to do it.

BleepingComputer contacted Twitter to comment on NOYB's action and allegations, but we have received a "check back later" auto-response.