The Data Protection Commission (DPC) has announced it will launch an investigation into X for processing the personal data of European users to train its large language models (LLMs).
According to the Irish data protection authority (DPA), X used public posts from European X users to train its chatbot Grok. This means that Elon Musk’s social media company collected and processed the personal data of European citizens.
The regulator says it wants to investigate whether the processing of this data violates the General Data Protection Regulation (GDPR).
“Like other modern LLMs, the Grok LLMs have been developed and trained on a wide variety of data. This inquiry considers a range of issues concerning the use of a subset of this data, which was controlled by XIUC [X, ed.] – namely personal data comprised in publicly accessible posts posted on the ‘X’ social media platform by EU/EEA users. The purpose of this inquiry is to determine whether this personal data was lawfully processed in order to train the Grok LLMs,” the DPC states in a press release.
On May 7th, 2024, X secretly began processing personal data, including that of European citizens. All information was collected by default; however, X users had the option to opt out.
As soon as the DPC got wind of these practices, it told the Financial Times it was surprised about this because according to European privacy laws, it is prohibited to collect personal data of European citizens by default. The regulator also wondered whether the opt-out option that was introduced by X was compliant with European data protection laws.
In August 2024, the Irish DPA filed a lawsuit with the Irish High Court. In September, X decided to put a stop to the processing of data of European X users, after which the DPC dropped its lawsuit.
“The DPC welcomes today’s outcome, which protects the rights of EU/EEA citizens. This action further demonstrates the DPC’s commitment to taking appropriate action where necessary, in conjunction with its European peer regulators. We are grateful for the Court's consideration of the matter,” DPC Commissioner Des Hogan said in a statement.
The DPC has the power to impose penalties of up to €20 million, or 4% of a company’s total annual revenue for severe violations. It’s unclear when the inquiry will be finished.
Your email address will not be published. Required fields are markedmarked