The Irish Data Protection Commission (DPC) has successfully concluded its legal proceedings against X, formerly known as Twitter, regarding its AI tool, “Grok.” The proceedings, brought before the Irish High Court in August 2024, were initiated over concerns about the use of personal data from X’s EU and EEA users to train the AI system. The court struck out the case in September 2024 after X agreed to permanently adhere to the terms of an undertaking issued by the DPC earlier in August.
The case against X was brought under urgent circumstances due to the DPC’s concerns that personal data contained in public posts from users in the EU and EEA were being used without proper consent for AI training purposes. This, according to the DPC, posed a potential risk to individuals’ fundamental rights and freedoms. It marked the first time the DPC, acting as the lead supervisory authority for data protection across the EU/EEA, had utilized its powers under Section 134 of the Data Protection Act 2018 to take such action against a company.
Section 134 allows the DPC to seek an order from the High Court when there is an urgent need to protect the rights of data subjects, giving the Commission the power to suspend or restrict data processing activities. The DPC’s legal intervention came after X’s measures to mitigate the processing risks were delayed and incomplete, raising concerns about the ongoing use of collected data for training the AI tool.
DPC Commissioner and Chairperson, Des Hogan, welcomed the court’s decision, stating: “The DPC welcomes today’s outcome which protects the rights of EU/EEA citizens. This action further demonstrates the DPC’s commitment to taking appropriate action where necessary, in conjunction with its European peer regulators. We are grateful for the Court’s consideration of the matter.”
Hogan emphasized that the DPC’s intervention in this case highlights the regulator’s dedication to safeguarding the privacy of individuals when personal data is processed in the development and training of AI models. The agreement by X to adhere to the DPC’s terms on a permanent basis is seen as a significant step toward ensuring compliance with privacy regulations.
The DPC’s involvement in the X case is part of a broader effort to address the challenges arising from the use of personal data in AI systems. The Commission has raised concerns about how personal data is processed at various stages of AI model development, particularly when it comes to the legal basis for data processing. In response to these concerns, the DPC is seeking an opinion from the European Data Protection Board (EDPB) under Article 64(2) of the General Data Protection Regulation (GDPR).
This request is intended to facilitate discussions at the EU level and bring clarity to key issues surrounding the use of personal data in AI model training. The DPC hopes that the resulting opinion from the EDPB will contribute to a proactive and consistent regulatory approach across Europe, addressing concerns about both first-party and third-party data used in AI systems.
Commissioner Dale Sunderland, who also commented on the DPC’s ongoing work, noted: “The DPC hopes that the resulting opinion will enable proactive, effective and consistent Europe-wide regulation of this area more broadly. It will also support the handling of a number of complaints that have been lodged with/transmitted to the DPC in relation to a range of different data controllers, for purposes connected with the training and development of various AI models.”
The DPC’s actions against X underscore the importance of transparency and compliance in the development and deployment of AI technologies. The case also highlights the significant role that data protection authorities, like the DPC, play in regulating emerging technologies to protect individual rights.
Need Help?
With every day comes a new AI regulation or bill, and you might have questions and concerns about how it will impact you. Don’t hesitate to reach out to BABL AI. Their Audit Experts are ready to provide valuable assistance.
