Musk’s X under scrutiny in Europe for data privacy practices

Elon Musk’s X platform faces legal action in Ireland, with the Data Protection Commission (DPC) filing High Court proceedings over concerns related to the handling of European users’ personal data.

DPC has raised concerns about X’s use of public posts from the European Union and European Economic Area (EU/EEA) to train AI systems, including its chatbot “Grok,” according to an RTE report.

The commission alleges that X’s use of Grok violates GDPR guidelines on data protection and privacy.

DPC is also concerned about the planned August launch of a new version of Grok, allegedly trained on EU/EEA users’ personal data, which could exacerbate existing issues.

X has reportedly refused the DPC’s requests to halt data processing or delay the new Grok release.

The option to opt-out

DPC’s action seeks orders to suspend, restrict, or prohibit X from processing users’ personal data for developing, training, or refining machine learning, large language models, or other AI systems.

X’s global government affairs team has responded to the proposed order, saying that while many companies continue to scrape the web to train AI models with no regard for user privacy, X has done everything it can to give users more control over their data.  

“Unlike the rest of the AI industry, we chose to provide a simple control to all X users, allowing them to decide if their public posts and engagement activity could be used to improve the models used by Grok,” the team said on the social media platform. “We also allow users to control all interactions with Grok, including deleting their conversation history.” 

According to the RTE report, the DPC acknowledges that X has implemented some mitigation measures, such as an opt-out mechanism, but deems it insufficient.

The commission alleges that a significant number of X’s millions of European users have had their data processed—and continue to have it processed—without the benefit of these protective measures.

Worsening perception of X

This situation, coupled with the potential for hefty fines and ongoing regulatory scrutiny, contributes to a negative perception of X’s commitment to data privacy, according to Prabhjyot Kaur, senior analyst at Everest Group.

“The public and media scrutiny surrounding these issues can further damage X’s reputation, as users and stakeholders may view the company as irresponsible or non-compliant with fundamental privacy standards,” Kaur said. “Competitors that demonstrate stronger adherence to data privacy laws could attract users seeking more secure platforms, amplifying the reputational risk for X.”

The DPC also plans to refer the matter to the European Data Protection Board. Kaur noted that X, already with a history of GDPR non-compliance, now faces heightened pressure to improve data protection practices, enhance transparency, and restore user trust, particularly in Europe.

The DPC’s actions also underscore a broader trend of stringent data protection enforcement across the EU, signaling regulators’ readiness to take swift and decisive measures against perceived GDPR violations. This move sets a significant precedent for future cases.

“Meta, for instance, halted its AI training plans in June following GDPR complaints, demonstrating the regulatory pressure on tech companies to comply with data privacy laws,” Kaur said. “The involvement of the European Data Protection Board indicates that this issue may influence data protection policies and enforcement strategies across the EU.”