It will come as no surprise: another complaint has been received about the use of social media data to train artificial intelligence (AI).

This time, the complaint is against X (formerly Twitter) and Grok, the conversational AI chatbot developed by Elon Musk’s company xAI. Grok is a large language model (LLM) chatbot that can generate text and have conversations with users.

Unlike other chatbots, Grok has the ability to access information through X in real time and respond to certain types of questions that would normally be rejected by other AI systems. Grok is available to X users with a Premium or Premium+ subscription.

According to the European privacy group NYOB (None Of Your Business):

“X began unlawfully using the personal data of over 60 million users in the EU/EEA to train its AI technologies (such as “Grok”) without their consent.”

NOYB decided to follow up on the proceedings brought by the Irish Data Protection Commission (DPC) in the High Court against Twitter International Unlimited Company over concerns about the processing of personal data of European users of the X platform. NOYB said it was unhappy with the outcome of those proceedings.

Twitter International Unlimited Company, based in Dublin, is the data controller in the EU with respect to all personal data on X.

The DPC found that Twitter International’s use of Grok breached its obligations under the GDPR, the EU regulation that sets guidelines for information privacy and data protection.

Despite the implementation of mitigating measures – retrospectively – the DPC states that the data of a very large number of X million users in Europe are and are still being processed without the protection of these mitigating measures, which is not in line with the rights under the GDPR.

But NOYB says the DPC misses the mark:

“The court documents are not public, but from the oral hearing we understand that the DPC did not itself question the lawfulness of this processing. It appears that the DPC was concerned about so-called ‘mitigation measures’ and a lack of cooperation from Twitter. The DPC appears to be taking action on the edges, but avoiding the core of the problem.”

For this reason, NOYB has now filed GDPR complaints with data protection authorities in nine countries (Austria, Belgium, France, Greece, Ireland, Italy, the Netherlands, Poland and Spain).

All they had to do was ask

The EU GDPR offers a simple solution for companies that want to use personal data for AI development and training: just ask users for consent in a clear way. But X simply took the data without asking for consent, and later created an opt-out option called mitigation measures.

It wasn’t until two months after Grok training started that users noticed that X had activated a default setting for everyone that gave the company the right to use their data to train Grok.

In a similar case on the use of personal data for targeted advertising, Meta argued that it has a legitimate interest that overrides the fundamental rights of users. This is one of six possible legal bases to avoid the GDPR, but the Court of Justice rejected this reasoning.

Many AI vendors have run into problems with the GDPR, in particular the regulation that prescribes the “right to be forgotten”, something that most AI systems cannot comply with. A good reason not to include this data in their AI systems in the first place, I would say.

Likewise, these companies always claim that it is impossible to respond to requests for a copy of the personal data in training data or the sources of such data. They also claim that they are unable to correct incorrect personal data. All of these concerns raise many questions when it comes to the unlimited incorporation of personal data into AI systems.

When the EU adopted the EU Artificial Intelligence Act (“AI Act”), which aims to regulate artificial intelligence (AI) in order to ensure better conditions for the development and use of this innovative technology, some of these considerations played a role. For example, Article 2(7)) calls for guaranteeing the right to privacy and protection of personal data throughout the entire lifecycle of the AI ​​system.

We don’t just report threats, we also help you protect your social media

Cybersecurity risks should never go beyond a headline. Protect your social media accounts with Cyrus, powered by Malwarebytes.