Elon Musk’s X Could Still Be Sanctioned for Training Grok on Europeans’ Data

Earlier this week, the EU’s top privacy regulator wrapped up legal proceedings over how X processed user data to coach its Grok AI chatbot, however the saga isn’t over yet for the Elon Musk-owned social media platform formerly referred to as Twitter. Ireland’s Data Protection Commission (DPC) confirmed to TechCrunch that it has received — and can “investigate” — plenty of complaints filed under the General Data Protection Regulation (GDPR).

“The DPC will now investigate the extent to which any processing that took place complies with the relevant provisions of the GDPR,” the regulator told TechCrunch. “If, as a result of that investigation, it is determined that TUIC (Twitter International Unlimited Company, as X’s principal Irish subsidiary is still called) has breached the GDPR, the DPC will consider whether the exercise of any of the remedial powers is justified, and if so, which one(s).”

X agreed to suspend processing data for Grok training in early August. X’s commitment was then made everlasting earlier this week. That agreement required X to delete and stop using European user data for training its AIs that it collected between May 7, 2024, and August 1, 2024, based on a replica obtained by TechCrunch. However, it’s now clear that X has no obligation to delete any AI models trained on that data.

So far, X has not faced any sanctions from the DPC for processing Europeans’ personal data to coach Grok without people’s consent – ​​despite urgent legal motion by the DPC to dam the info collection. Fines under the GDPR will be severe, reaching as much as 4% of world annual turnover. (Considering that the corporate’s revenues are currently free falland will struggle to succeed in $500 million this yr, judging by its published quarterly results, which could possibly be particularly painful.)

Regulators even have the facility to order operational changes by demanding that violations stop. However, investigating complaints and enforcing them can take a protracted time—even years.

This is significant because while X has been forced to stop using Europeans’ data to coach Grok, it could actually still run any AI models it has already trained on data from individuals who haven’t consented to its use — with none urgent intervention or sanctions to forestall this.

When asked whether the commitment the DPC obtained from X last month required X to delete any AI models trained on Europeans’ data, the DPC confirmed to us that it didn’t: “The commitment does not require TUIC to take that action; it required TUIC to permanently cease processing the datasets covered by the commitment,” the spokesperson said.

Some might say it is a clever way for X (or other model trainers) to get around EU privacy rules: Step 1) Silently use people’s data; Step 2) use it to coach AI models; and — when the cat’s out of the bag and regulators eventually come knocking — commit to deleting the *data* while leaving the trained AI models intact. Step 3) Profit based on Grok!?

When asked about this risk, the DPC replied that the aim of the urgent legal proceedings was to handle “significant concerns” that X’s processing of EU and EEA user data to coach Grok “gave rise to risks to the fundamental rights and freedoms of data subjects”. However, it didn’t explain why it didn’t have the identical urgent concerns concerning the risks to the basic rights and freedoms of Europeans resulting from their information being placed on Grok.

Generative AI tools are notorious for producing false information. Musk’s inversion of that category can be deliberately rude—or “anti-woke,” as he calls it. That could raise the stakes within the sorts of content it could produce about users whose data was ingested to coach the bot.

One reason the Irish regulator could also be more cautious about tips on how to take care of the difficulty is that these AI tools are still relatively latest. There can be uncertainty amongst European privacy watchdogs about tips on how to implement GDPR on such a brand new technology. It can be unclear whether the regulation’s powers would come with the power to order the deletion of an AI model if the technology was trained on data processed unlawfully.

However, as complaints on this area proceed to multiply, data protection authorities will ultimately need to face the issue of artificial intelligence.

Cucumber spoilage

In separate news overnight Friday, the news emerged that the pinnacle of Global X has left. Reuters Agency announced the departure of long-time worker Nick Pickles, a British national who spent a decade at Twitter and rose through the ranks during Musk’s tenure.

IN write to XPickles says he made the choice to go away “a few months ago” but didn’t provide details on his reasons for leaving.

But it’s clear the corporate has quite a bit on its plate — including coping with a ban in Brazil and the political backlash within the U.K. over its role in spreading disinformation related to last month’s unrest there, with Musk having a private penchant for adding fuel to the fireplace (including posting on X suggesting that “civil war is inevitable” for the U.K.).

In the EU, X can be under investigation under the bloc’s content moderation framework, with the primary batch of complaints concerning the Digital Services Act filed in July. Musk was also recently singled out for a private warning in an open letter written by the bloc’s Internal Markets Commissioner, Thierry Breton — to which the chaos-loving billionaire decided to reply with an offensive meme.